PT-2026-50140 · Pypi · Vllm
Publicado
2026-06-16
·
Atualizado
2026-06-16
·
CVE-2026-41523
CVSS v3.1
7.5
Alta
| Vetor | AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
Summary
An
assert-based security check in vLLM's activation function loading allows any unauthenticated attacker to achieve arbitrary code execution on the server by publishing a malicious HuggingFace model, when vLLM runs in Python optimized mode (python -O or PYTHONOPTIMIZE=1).Details
vLLM uses an
assert statement at [vllm/model executor/layers/pooler/activations.py:48](https://github.com/vllm-project/vllm/blob/main/vllm/model executor/layers/pooler/activations.py#L48) as its sole security control to restrict which activation functions can be loaded from a HuggingFace model's config.json:python
# vllm/model executor/layers/pooler/activations.py:35-53
function name: str | None = None
if (
hasattr(config, "sentence transformers")
and "activation fn" in config.sentence transformers
):
function name = config.sentence transformers["activation fn"]
elif (
hasattr(config, "sbert ce default activation function")
and config.sbert ce default activation function is not None
):
function name = config.sbert ce default activation function
if function name is not None:
assert function name.startswith("torch.nn.modules."), (
"Loading of activation functions is restricted to "
"torch.nn.modules for security reasons"
)
fn = resolve obj by qualname(function name)()Python's
assert statements are stripped at compile time when running in optimized mode (python -O or PYTHONOPTIMIZE=1). When the assert is absent, the attacker-controlled function name from the model's config.json is passed directly to [resolve obj by qualname()](https://github.com/vllm-project/vllm/blob/main/vllm/utils/import utils.py#L106) — an unrestricted import gadget:python
def resolve obj by qualname(qualname: str) -> Any:
module name, obj name = qualname.rsplit(".", 1)
module = importlib.import module(module name)
return getattr(module, obj name)This is the same vulnerability class as CVE-2017-1000433 (pysaml2 assert-based auth bypass), flagged by Bandit B101 and Ruff S101, and the reason Django proactively replaced all assert-based security checks (ticket #32508).
Attacker-controlled input sources:
config.sentence transformers["activation fn"](line 40)config.sbert ce default activation function(line 45)
Affected call sites —
get act fn() is called via resolve classifier act fn() from:vllm/model executor/layers/pooler/seqwise/poolers.py:122— SequencePoolervllm/model executor/layers/pooler/tokwise/poolers.py:130— TokenPooler
Broader systemic risk:
resolve obj by qualname is called from ~20 locations across the codebase with no validation of its own. Any future caller feeding user-controlled input to it without validation creates the same vulnerability class.Suggested fix: Replace the
assert with an explicit conditional raise:python
if not function name.startswith("torch.nn.modules."):
raise ValueError(
"Loading of activation functions is restricted to "
"torch.nn.modules for security reasons"
)Impact
Arbitrary code execution. A malicious model author publishes a HuggingFace model with a crafted
config.json. When a victim loads this model with vLLM running under python -O or PYTHONOPTIMIZE=1, arbitrary code executes during model initialization with the privileges of the vLLM process.The attack requires:
- Victim loads a malicious model from HuggingFace (user interaction)
- vLLM runs under
python -OorPYTHONOPTIMIZE=1(documented in production use) - Model uses a cross-encoder architecture (e.g. BERT or RoBERTa with sequence classification)
Coordinated disclosure note: This vulnerability was also reported via huntr.com on April 2, 2026 (https://huntr.com/bounties/dcb05b04-e625-41e7-adbc-bbae0cc2d64c). A GitHub Security Advisory was also filed because it is vLLM's stated preferred disclosure channel per SECURITY.md.
Fix
A fix for this was introduced in this commit: https://github.com/vllm-project/vllm/commit/b3c7ffcab82c2439726f8cb213800f6f38c023d3
Correção
Assertion Failure
Code Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Vllm