CVE Alert: CVE-2025-6242 – Red Hat – Red Hat AI Inference Server
CVE-2025-6242
HIGHNo exploitation known
A Server-Side Request Forgery (SSRF) vulnerability exists in the MediaConnector class within the vLLM project’s multimodal feature set. The load_from_url and load_from_url_async methods fetch and process media from user-provided URLs without adequate restrictions on the target hosts. This allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources.
CVSS v3.1 (7.1)
AV NETWORK · AC HIGH · PR LOW · UI NONE · S UNCHANGED
Vendor
Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat, Red Hat
Product
Red Hat AI Inference Server, Red Hat AI Inference Server, Red Hat AI Inference Server, Red Hat AI Inference Server, Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI), Red Hat Enterprise Linux AI (RHEL AI)
Versions
Not specified
CWE
CWE-918, Server-Side Request Forgery (SSRF)
Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H
Published
2025-10-07T19:45:18.082Z
Updated
2025-10-07T19:57:03.472Z
cpe:/a:redhat:ai_inference_server:3cpe:/a:redhat:ai_inference_server:3cpe:/a:redhat:ai_inference_server:3cpe:/a:redhat:ai_inference_server:3cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1cpe:/a:redhat:enterprise_linux_ai:1
References
AI Summary Analysis
Risk verdict
High risk: the SSRF flaw in MediaConnector is serious and warrants prompt patching for any internet-facing or broadly reachable deployments.
Why this matters
An attacker can coerce the server into making requests to internal resources, risking data exposure, service disruption, or internal asset discovery. With network access and low privileges, automated exploitation could enable broad reach within protected environments.
Most likely attack path
- Attacker identifies a publicly reachable MediaConnector API and supplies a crafted URL to be loaded by load_from_url or load_from_url_async.
- The server then makes outbound requests to internal hosts, potentially mapping services or reaching sensitive endpoints.
- No user interaction is required, and the attack relies on insufficient URL host restrictions and network access to the vulnerable service.
Who is most exposed
Deployments where Red Hat AI Inference Server endpoints are exposed to untrusted networks or have permissive security groups/VPC access risks; common in on‑prem or cloud setups with internet-facing inference endpoints.
Detection ideas
- Outbound connections from the MediaConnector service to non-public/internal IPs or unusual internal domains.
- Logs showing load_from_url/load_from_url_async calls with internal targets.
- Sudden spikes in egress traffic or unusual patterns from the inference server.
- Repeated failed or blocked URL fetch attempts that reference internal resources.
- WAF/gateway alerts for SSRF-like URL handling anomalies.
Mitigation and prioritisation
- Apply the vendor patch as soon as available; if not yet released, apply compensating controls.
- Disable or tightly restrict load_from_url/load_from_url_async; implement explicit host allowlists.
- Enforce network egress controls and segment the AI inference tier from sensitive internal resources.
- Validate and sanitise user-provided URLs; route media fetches through a controlled proxy.
- Implement enhanced logging and alerting for outbound fetches and internal-target access; plan a phased patch across affected CPES.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
