From Disclosure to Exploitation in Hours: LMDeploy SSRF Vulnerability Exploited in the Wild
In the rapidly evolving landscape of AI infrastructure, the window between vulnerability disclosure and active exploitation is shrinking to a matter of hours. A recent case study involving LMDeploy—an open-source toolkit from the Shanghai AI Laboratory designed for serving large language models (LLMs)—serves as a stark warning. A high-severity Server-Side Request Forgery (SSRF) vulnerability was weaponized in the wild just 12 hours and 31 minutes after its public disclosure, requiring no pre-existing proof-of-concept (PoC) code to succeed.
On April 21, 2026, the security advisory GHSA-6w67-hwm5-92mq was published, eventually assigned CVE-2026-33626. The flaw, carrying a CVSS score of 7.5, strikes at the heart of LMDeploy’s vision-language capabilities.
Technical Root Cause: Unsanitized URL Fetching
The vulnerability resides within the load_image() function located in lmdeploy/vl/utils.py. When the vision-language module receives an API request containing an image URL, the function fetches the content to process it for the model. However, the implementation fails to implement a “deny-list” or “allow-list” for the destination IP addresses.
Because the function does not validate whether the provided URL points to a public internet address or a sensitive internal network resource, an attacker can substitute a legitimate image URL with an internal endpoint. This allows them to force the inference server to act as a proxy, fetching data from local databases, internal microservices, or cloud metadata services, and returning the response to the attacker.
Timeline of an Exploitation: From Advisory to Attack
The speed of the attack highlights a critical shift in threat actor behavior. According to the Sysdig Threat Research Team (TRT), who monitored the exploit via a specialized honeypot, the first malicious attempt occurred at 03:35 UTC on April 22, 2026. The traffic was traced to IP 103.116.72.119, originating from Hong Kong.
Interestingly, the attacker did not need a leaked exploit script. The technical specificity of the GitHub advisory—which explicitly named the vulnerable file, the unvalidated parameter, and the logic error—provided a complete roadmap for construction.
The Sysdig TRT observed a highly tactical eight-minute session consisting of three distinct phases:
- Phase 1: Reconnaissance & Credential Probing: The actor immediately targeted the AWS Instance Metadata Service (IMDS) via the link-local address
169.254.169.254. The goal was to exfiltrate IAM role credentials. Simultaneously, they probed127.0.0.1:6379to verify if a local Redis instance was reachable. - Phase 2: Out-of-Band (OOB) Validation: To confirm that the SSRF was “blind” (meaning the attacker couldn’t see the direct response) but still functional, they triggered a DNS callback to
cw2mhnbd.requestrepo.com. This confirmed the server had unrestricted egress to the internet. - Phase 3: Lateral Movement & Denial of Service: The attacker pivoted to internal management endpoints, hitting
/distserve/p2p_drop_connectto disrupt internal ZMQ inference routing. They concluded with a rapid-fire sweep of common ports (8080, 3306, 80) to map the internal landscape.
The “AI Infrastructure” Blind Spot
This incident exposes a systemic risk in modern AI deployments. Most LLM inference engines run on heavy-duty GPU cloud instances. These instances are often granted expansive IAM roles to allow seamless access to S3 buckets for model weights and training datasets. An SSRF in this context isn’t just a web bug; it is a gateway to the entire data lake.
Furthermore, while LMDeploy is a significant project with nearly 7,800 GitHub stars, it remains largely invisible to traditional enterprise security scanners that prioritize legacy enterprise software over niche AI-infrastructure tools. This lack of visibility makes such tools “soft targets” for sophisticated actors.
Remediation and Best Practices
Immediate Action: Upgrade to LMDeploy v0.12.3 or later. This version implements a _is_safe_url() validation check designed to intercept and block requests directed at private IP ranges and link-local addresses.
Defense-in-Depth Strategies:
- Egress Filtering: Implement strict firewall rules on your GPU instances. Inference nodes should generally not be able to initiate outbound connections to arbitrary internet addresses or sensitive internal subnets.
- Reverse Proxy Architecture: Use a hardened reverse proxy to sanitize incoming API requests, ensuring that any image or data URLs are validated before they reach the inference engine.
- Expanded Software Inventory: Incorporate AI-specific libraries (vLLM, TGI, Ray Serve, LMDeploy) into your formal CVE scanning and vulnerability management workflows.
Indicators of Compromise (IOCs)
| Type | Value | Purpose |
|---|---|---|
| Source IP | 103.116.72.119 |
Primary Attacker Origin (HK) |
| OOB Domain | cw2mhnbd.requestrepo.com |
Blind SSRF Data Exfiltration/Confirmation |
| SSRF Target | 169.254.169.254/.../iam/... |
Attempted AWS IAM Credential Theft |
| SSRF Target | 127.0.0.1:6379 |
Redis Service Probing |
| SSRF Target | 127.0.0.1:3306 |
MySQL/Database Probing |