CVE-2025-66448

Published: Dec 1, 2025

Modified: Dec 2, 2025

PUBLISHED

CVSS v3.1

7.1

HIGH

Description

vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.11.1, vllm has a critical remote code execution vector in a config class named Nemotron_Nano_VL_Config. When vllm loads a model config that contains an auto_map entry, the config class resolves that mapping with get_class_from_dynamic_module(...) and immediately instantiates the returned class. This fetches and executes Python from the remote repository referenced in the auto_map string. Crucially, this happens even when the caller explicitly sets trust_remote_code=False in vllm.transformers_utils.config.get_config. In practice, an attacker can publish a benign-looking frontend repo whose config.json points via auto_map to a separate malicious backend repo; loading the frontend will silently run the backend’s code on the victim host. This vulnerability is fixed in 0.11.1.

Vendor	Product	Versions
vllm-project	vllm	affected `< 0.11.1`

Weaknesses (CWE)

CWE-94

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/vllm-project/vllm/security/advisories/GHSA-8fr4-5q9j-m8gm

x_refsource_CONFIRM

https://github.com/vllm-project/vllm/pull/28126

x_refsource_MISC

https://github.com/vllm-project/vllm/commit/ffb08379d8870a1a81ba82b72797f196838d0c86

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-66448

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References