CVE-2025-66448

Name of the Vulnerable Software and Affected Versions vLLM versions prior to 0.11.1

Description vLLM is an inference and serving engine for large language models (LLMs). A critical issue exists in the Nemotron Nano VL Config class where remote code execution can occur. When vLLM loads a model configuration containing an auto map entry, the get class from dynamic module() function is used to resolve the mapping and instantiate the returned class. This process retrieves and executes Python code from the remote repository specified in the auto map string, even if trust remote code is set to False within vllm.transformers utils.config.get config. An attacker can leverage this by publishing a seemingly harmless frontend repository with a config.json file that points to a malicious backend repository. Loading the frontend then silently executes the backend’s code on the victim system. The vulnerable component is the get class from dynamic module() function.

Recommendations Versions prior to 0.11.1 should be updated to version 0.11.1 or later.