Description

vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.11.1, vllm has a critical remote code execution vector in a config class named Nemotron_Nano_VL_Config. When vllm loads a model config that contains an auto_map entry, the config class resolves that mapping with get_class_from_dynamic_module(...) and immediately instantiates the returned class. This fetches and executes Python from the remote repository referenced in the auto_map string. Crucially, this happens even when the caller explicitly sets trust_remote_code=False in vllm.transformers_utils.config.get_config. In practice, an attacker can publish a benign-looking frontend repo whose config.json points via auto_map to a separate malicious backend repo; loading the frontend will silently run the backend’s code on the victim host. This vulnerability is fixed in 0.11.1.

INFO

Published Date :

2025-12-01T22:45:42.566Z

Last Modified :

2025-12-02T14:14:58.324Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-66448 vulnerability.

Vendors Products
Vllm
  • Vllm
Vllm-project
  • Vllm
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-66448.

URL Resource
https://github.com/vllm-project/vllm/commit/ffb08379d8870a1a81ba82b72797f196838d0c86 cve-icon cve-icon cve-icon
https://github.com/vllm-project/vllm/pull/28126 cve-icon cve-icon cve-icon
https://github.com/vllm-project/vllm/security/advisories/GHSA-8fr4-5q9j-m8gm cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-66448 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-66448 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact