2418152 – (CVE-2025-66448) CVE-2025-66448 vllm: vLLM: Remote Code Execution via malicious model configuration

Bug 2418152 (CVE-2025-66448) - CVE-2025-66448 vllm: vLLM: Remote Code Execution via malicious model configuration

Summary: CVE-2025-66448 vllm: vLLM: Remote Code Execution via malicious model configur...

Keywords:
Status:	NEW
Alias:	CVE-2025-66448
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-01 23:01 UTC by OSIDB Bzimport
Modified:	2025-12-04 22:45 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-01 23:01:33 UTC

vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.11.1, vllm has a critical remote code execution vector in a config class named Nemotron_Nano_VL_Config. When vllm loads a model config that contains an auto_map entry, the config class resolves that mapping with get_class_from_dynamic_module(...) and immediately instantiates the returned class. This fetches and executes Python from the remote repository referenced in the auto_map string. Crucially, this happens even when the caller explicitly sets trust_remote_code=False in vllm.transformers_utils.config.get_config. In practice, an attacker can publish a benign-looking frontend repo whose config.json points via auto_map to a separate malicious backend repo; loading the frontend will silently run the backend’s code on the victim host. This vulnerability is fixed in 0.11.1.

Note You need to log in before you can comment on or make changes to this bug.