{"id":"PYSEC-2026-2015","summary":"vLLM vulnerable to remote code execution via transformers_utils/get_config","details":"### Summary\n\n`vllm` has a critical remote code execution vector in a config class named `Nemotron_Nano_VL_Config`. When `vllm` loads a model config that contains an `auto_map` entry, the config class resolves that mapping with `get_class_from_dynamic_module(...)` and immediately instantiates the returned class. This fetches and executes Python from the remote repository referenced in the `auto_map` string. Crucially, this happens even when the caller explicitly sets `trust_remote_code=False` in `vllm.transformers_utils.config.get_config`. In practice, an attacker can publish a benign-looking frontend repo whose `config.json` points via `auto_map` to a separate malicious backend repo; loading the frontend will silently run the backend’s code on the victim host.\n\n### Details\n\nThe vulnerable code resolves and instantiates classes from `auto_map` entries without checking whether those entries point to a different repo or whether remote code execution is allowed.\n\n```python\nclass Nemotron_Nano_VL_Config(PretrainedConfig):\n    model_type = 'Llama_Nemotron_Nano_VL'\n\n    def __init__(self, **kwargs):\n        super().__init__(**kwargs)\n\n        if vision_config is not None:\n            assert \"auto_map\" in vision_config and \"AutoConfig\" in vision_config[\"auto_map\"]\n            # \u003c-- vulnerable dynamic resolution + instantiation happens here\n            vision_auto_config = get_class_from_dynamic_module(*vision_config[\"auto_map\"][\"AutoConfig\"].split(\"--\")[::-1])\n            self.vision_config = vision_auto_config(**vision_config)\n        else:\n            self.vision_config = PretrainedConfig()\n```\n\n`get_class_from_dynamic_module(...)` is capable of fetching and importing code from the Hugging Face repo specified in the mapping. `trust_remote_code` is not enforced for this code path. As a result, a frontend repo can redirect the loader to any backend repo and cause code execution, bypassing the `trust_remote_code` guard.\n\n### Impact\n\nThis is a critical vulnerability because it breaks the documented `trust_remote_code` safety boundary in a core model-loading utility. The vulnerable code lives in a common loading path, so any application, service, CI job, or developer machine that uses `vllm`’s transformer utilities to load configs can be affected. The attack requires only two repos and no user interaction beyond loading the frontend model. A successful exploit can execute arbitrary commands on the host.\n\n### Fixes\n\n* https://github.com/vllm-project/vllm/pull/28126","aliases":["CVE-2025-66448","GHSA-8fr4-5q9j-m8gm"],"modified":"2026-07-07T17:48:15.884423346Z","published":"2026-07-07T16:03:11.918128Z","references":[{"type":"WEB","url":"https://github.com/vllm-project/vllm/security/advisories/GHSA-8fr4-5q9j-m8gm"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66448"},{"type":"WEB","url":"https://github.com/vllm-project/vllm/pull/28126"},{"type":"WEB","url":"https://github.com/vllm-project/vllm/commit/ffb08379d8870a1a81ba82b72797f196838d0c86"},{"type":"PACKAGE","url":"https://github.com/vllm-project/vllm"},{"type":"PACKAGE","url":"https://pypi.org/project/vllm"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-8fr4-5q9j-m8gm"}],"affected":[{"package":{"name":"vllm","ecosystem":"PyPI","purl":"pkg:pypi/vllm"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.11.1"}]}],"versions":["0.0.1","0.1.0","0.1.1","0.1.2","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7","0.10.0","0.10.1","0.10.1.1","0.10.2","0.11.0","0.2.0","0.2.1","0.2.1.post1","0.2.2","0.2.3","0.2.4","0.2.5","0.2.6","0.2.7","0.3.0","0.3.1","0.3.2","0.3.3","0.4.0","0.4.0.post1","0.4.1","0.4.2","0.4.3","0.5.0","0.5.0.post1","0.5.1","0.5.2","0.5.3","0.5.3.post1","0.5.4","0.5.5","0.6.0","0.6.1","0.6.1.post1","0.6.1.post2","0.6.2","0.6.3","0.6.3.post1","0.6.4","0.6.4.post1","0.6.5","0.6.6","0.6.6.post1","0.7.0","0.7.1","0.7.2","0.7.3","0.8.0","0.8.1","0.8.2","0.8.3","0.8.4","0.8.5","0.8.5.post1","0.9.0","0.9.0.1","0.9.1","0.9.2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/vllm/PYSEC-2026-2015.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"}]}