CVE-2026-25960

A flaw was found in vLLM, an inference and serving engine for large language models (LLMs). A remote attacker can exploit this Server-Side Request Forgery (SSRF) bypass vulnerability in the `load_from_url_async` method. The flaw occurs because the URL validation and the actual HTTP request handling use different parsing libraries, leading to inconsistencies. This allows an attacker to bypass existing SSRF protections, potentially leading to the disclosure of sensitive information from internal network resources.