Skip to content

Add option to restrict media domains#25783

Merged
DarkLight1337 merged 6 commits intovllm-project:mainfrom
russellb:ghsa-3f6c-7fw2-ppm4
Sep 27, 2025
Merged

Add option to restrict media domains#25783
DarkLight1337 merged 6 commits intovllm-project:mainfrom
russellb:ghsa-3f6c-7fw2-ppm4

Conversation

@russellb
Copy link
Member

@russellb russellb commented Sep 26, 2025

huachenheli and others added 5 commits September 16, 2025 10:19
@huachenheli
Add --allowed-media-domains
62c63e1 
Signed-off-by: Chenheli Hua <huachenheli@outlook.com>
@huachenheli
address comments
dc56069 
Signed-off-by: Chenheli Hua <huachenheli@outlook.com>
@huachenheli
add to security.md
863129e 
Signed-off-by: Chenheli Hua <huachenheli@outlook.com>
@huachenheli
Merge branch 'main' into security
7326436
@russellb
Merge from GHSA-3f6c-7fw2-ppm4/security
a08be4f 
Signed-off-by: Russell Bryant <rbryant@redhat.com>
@mergify mergify bot added documentation Improvements or additions to documentation frontend multi-modality Related to multi-modality (#4194) labels Sep 26, 2025
@mergify
Copy link

mergify bot commented Sep 26, 2025

This pull request has merge conflicts that must be resolved before it can be
merged. Please rebase the PR, @russellb.

https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/syncing-a-fork

@mergify mergify bot added the needs-rebase label Sep 26, 2025
gemini-code-assist[bot]
gemini-code-assist bot reviewed Sep 26, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a security feature to restrict the domains from which multimodal media can be fetched, aiming to mitigate Server-Side Request Forgery (SSRF) vulnerabilities. The implementation adds an --allowed-media-domains argument and checks it before fetching media from HTTP(S) URLs. While this is a good step, I've identified a critical security flaw where HTTP redirects can bypass this check. I've also included a suggestion to improve the performance of the domain checking logic. The documentation and test changes look good, but the tests should also cover the redirect scenario.

vllm/multimodal/utils.py
Comment on lines 126 to +139
if url_spec.scheme.startswith("http"):
self._assert_url_in_allowed_media_domains(url_spec)
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Sep 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The current implementation checks the domain of the initial URL, but it does not prevent SSRF vulnerabilities that arise from HTTP redirects. If an allowed URL redirects to a URL on a disallowed domain (including internal network addresses), connection.get_bytes might still fetch it if it follows redirects by default, which is mentioned as the root cause in the security advisory GHSA-3f6c-7fw2-ppm4j.

To properly mitigate this, you should either disable redirects or verify the domain of the final URL after all redirects have been followed. Disabling redirects might be the safest option if they are not a required feature. If they are required, the HTTPConnection class should be modified to not follow redirects automatically, and instead, redirects should be handled manually within MediaConnector to ensure every URL in the redirect chain is validated against the allowed domains.

Copy link
Member Author

@russellb russellb Sep 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@huachenheli @DarkLight1337 this seems like a good point. I wouldn't block merging the current change over this, but it seems worth a follow-up change.

Copy link
Contributor

@huachenheli huachenheli Sep 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah. This PR should be fine for immediate needs. We already have media_io_kwargs that we can use to control MediaConnector behavior, so we just need to pass that to the HttpConnection to disallow redirects.

vllm/multimodal/utils.py
Comment on lines +85 to +87
if allowed_media_domains is None:
allowed_media_domains = []
self.allowed_media_domains = allowed_media_domains
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Sep 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

For performance, it's better to convert allowed_media_domains to a set during initialization. Checking for an item's existence is O(1) on average for a set, while it's O(n) for a list. This can be significant if the list of allowed domains is large.

Suggested change
if allowed_media_domains is None:
allowed_media_domains = []
self.allowed_media_domains = allowed_media_domains
if allowed_media_domains is None:
self.allowed_media_domains = set()
else:
self.allowed_media_domains = set(allowed_media_domains)

@russellb
Merge remote-tracking branch 'origin/main' into GHSA-3f6c-7fw2-ppm4
01dab53 
Signed-off-by: Russell Bryant <rbryant@redhat.com>
@mergify mergify bot removed the needs-rebase label Sep 26, 2025
@russellb russellb added this to the v0.11.0 Cherry Picks milestone Sep 26, 2025
@russellb russellb added the ready ONLY add when PR is ready to merge/full CI is needed label Sep 26, 2025
@DarkLight1337 DarkLight1337 enabled auto-merge (squash) September 27, 2025 00:14
@DarkLight1337 DarkLight1337 merged commit 3958b96 into vllm-project:main Sep 27, 2025
48 of 52 checks passed
simon-mo pushed a commit that referenced this pull request Sep 28, 2025
@russellb @huachenheli @simon-mo
Add option to restrict media domains (#25783)
32335c8 
Signed-off-by: Chenheli Hua <huachenheli@outlook.com>
Signed-off-by: Russell Bryant <rbryant@redhat.com>
Co-authored-by: Chenheli Hua <huachenheli@outlook.com>
Signed-off-by: simon-mo <simon.mo@hey.com>
@huachenheli huachenheli mentioned this pull request Oct 1, 2025
Merged
5 tasks
pdasigi pushed a commit to pdasigi/vllm that referenced this pull request Oct 2, 2025
@russellb @huachenheli @pdasigi
Add option to restrict media domains (vllm-project#25783)
b018331 
Signed-off-by: Chenheli Hua <huachenheli@outlook.com>
Signed-off-by: Russell Bryant <rbryant@redhat.com>
Co-authored-by: Chenheli Hua <huachenheli@outlook.com>
yewentao256 pushed a commit that referenced this pull request Oct 3, 2025
@russellb @huachenheli @yewentao256
Add option to restrict media domains (#25783)
dbb7782 
Signed-off-by: Chenheli Hua <huachenheli@outlook.com>
Signed-off-by: Russell Bryant <rbryant@redhat.com>
Co-authored-by: Chenheli Hua <huachenheli@outlook.com>
Signed-off-by: yewentao256 <zhyanwentao@126.com>
choprahetarth pushed a commit to Tandemn-Labs/vllm that referenced this pull request Oct 11, 2025
@russellb @huachenheli @choprahetarth
Add option to restrict media domains (vllm-project#25783)
9a6e6fa 
Signed-off-by: Chenheli Hua <huachenheli@outlook.com>
Signed-off-by: Russell Bryant <rbryant@redhat.com>
Co-authored-by: Chenheli Hua <huachenheli@outlook.com>
Signed-off-by: simon-mo <simon.mo@hey.com>
shyeh25 pushed a commit to shyeh25/vllm that referenced this pull request Oct 14, 2025
@russellb @huachenheli @shyeh25
Add option to restrict media domains (vllm-project#25783)
90f9d39 
Signed-off-by: Chenheli Hua <huachenheli@outlook.com>
Signed-off-by: Russell Bryant <rbryant@redhat.com>
Co-authored-by: Chenheli Hua <huachenheli@outlook.com>
Signed-off-by: simon-mo <simon.mo@hey.com>
lywa1998 pushed a commit to lywa1998/vllm that referenced this pull request Oct 20, 2025
@russellb @huachenheli @lywa1998
Add option to restrict media domains (vllm-project#25783)
b2a5369 
Signed-off-by: Chenheli Hua <huachenheli@outlook.com>
Signed-off-by: Russell Bryant <rbryant@redhat.com>
Co-authored-by: Chenheli Hua <huachenheli@outlook.com>
alhridoy pushed a commit to alhridoy/vllm that referenced this pull request Oct 24, 2025
@russellb @huachenheli @alhridoy
Add option to restrict media domains (vllm-project#25783)
f330b72 
Signed-off-by: Chenheli Hua <huachenheli@outlook.com>
Signed-off-by: Russell Bryant <rbryant@redhat.com>
Co-authored-by: Chenheli Hua <huachenheli@outlook.com>
rtourgeman pushed a commit to rtourgeman/vllm that referenced this pull request Nov 10, 2025
@russellb @huachenheli @rtourgeman
Add option to restrict media domains (vllm-project#25783)
6123c7c 
Signed-off-by: Chenheli Hua <huachenheli@outlook.com>
Signed-off-by: Russell Bryant <rbryant@redhat.com>
Co-authored-by: Chenheli Hua <huachenheli@outlook.com>
agrabow pushed a commit to agrabow/vllm-fork that referenced this pull request Dec 15, 2025
@russellb @huachenheli @agrabow
Add option to restrict media domains (vllm-project#25783)
9dbea5f 
Signed-off-by: Chenheli Hua <huachenheli@outlook.com>
Signed-off-by: Russell Bryant <rbryant@redhat.com>
Co-authored-by: Chenheli Hua <huachenheli@outlook.com>
(cherry picked from commit 3958b96)
agrabow pushed a commit to agrabow/vllm-fork that referenced this pull request Dec 15, 2025
@russellb @huachenheli @agrabow
Add option to restrict media domains (vllm-project#25783)
afdb426 
Signed-off-by: Chenheli Hua <huachenheli@outlook.com>
Signed-off-by: Russell Bryant <rbryant@redhat.com>
Co-authored-by: Chenheli Hua <huachenheli@outlook.com>
(cherry picked from commit 3958b96)
(cherry picked from commit 9dbea5f)
silverjam pushed a commit to YurtsAI/yurts-vllm that referenced this pull request Jan 24, 2026
fix: patch CVE-2025-6242 - SSRF vulnerability in multimodal media han…
67cf531 
…dling

Port security fixes from upstream PRs vllm-project#25783 and vllm-project#26035 to address
SSRF vulnerability in vLLM's multimodal media handling.

Security improvements:
- Add domain allowlist via --allowed-media-domains CLI parameter
- Add VLLM_MEDIA_URL_ALLOW_REDIRECTS environment variable (defaults to disabled)
- Implement domain validation before fetching HTTP(S) URLs
- Add redirect control to prevent bypassing domain restrictions

The fix provides defense-in-depth protection against SSRF attacks
while maintaining backward compatibility (empty allowlist permits all domains).

Changes:
- vllm/envs.py: Add VLLM_MEDIA_URL_ALLOW_REDIRECTS env var
- vllm/connections.py: Add allow_redirects parameter to HTTP methods
- vllm/multimodal/utils.py: Add domain validation logic
- vllm/config/__init__.py: Add allowed_media_domains configuration field
- vllm/engine/arg_utils.py: Add --allowed-media-domains CLI argument
- vllm/entrypoints/*.py: Wire configuration through entry points
- tests/multimodal/test_utils.py: Add security validation tests
- test_security_fixes.py: Add standalone security test suite
- CVE-2025-6242-IMPLEMENTATION-SUMMARY.md: Implementation documentation

References:
- CVE-2025-6242
- Upstream PR vllm-project#25783 (domain restriction)
- Upstream PR vllm-project#26035 (redirect control)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@simon-mo simon-mo simon-mo approved these changes

@DarkLight1337 DarkLight1337 DarkLight1337 approved these changes

@ywang96 ywang96 Awaiting requested review from ywang96 ywang96 is a code owner

@NickLucche NickLucche Awaiting requested review from NickLucche NickLucche is a code owner

@robertgshaw2-redhat robertgshaw2-redhat Awaiting requested review from robertgshaw2-redhat robertgshaw2-redhat is a code owner

@aarnphm aarnphm Awaiting requested review from aarnphm aarnphm is a code owner

@WoosukKwon WoosukKwon Awaiting requested review from WoosukKwon WoosukKwon is a code owner

@youkaichao youkaichao Awaiting requested review from youkaichao youkaichao is a code owner

@mgoin mgoin Awaiting requested review from mgoin mgoin is a code owner

@tlrmchlsmth tlrmchlsmth Awaiting requested review from tlrmchlsmth tlrmchlsmth is a code owner

@houseroad houseroad Awaiting requested review from houseroad houseroad is a code owner

@hmellor hmellor Awaiting requested review from hmellor hmellor is a code owner

@yewentao256 yewentao256 Awaiting requested review from yewentao256 yewentao256 is a code owner

@ProExpertProg ProExpertProg Awaiting requested review from ProExpertProg ProExpertProg is a code owner

@chaunceyjiang chaunceyjiang Awaiting requested review from chaunceyjiang

+2 more reviewers

@huachenheli huachenheli huachenheli left review comments

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation frontend multi-modality Related to multi-modality (#4194) ready ONLY add when PR is ready to merge/full CI is needed

Projects

None yet

Milestone

v0.11.0 Cherry Picks

Development

Successfully merging this pull request may close these issues.

4 participants

@russellb @huachenheli @simon-mo @DarkLight1337