CVE-2025-66448 – This vulnerability in vLLM allows remote code e... (How to Fix)

📋 TL;DR

This vulnerability in vLLM allows remote code execution when loading model configurations containing auto_map entries. Attackers can create a seemingly benign repository that points to a malicious backend, executing arbitrary code on victim systems even when trust_remote_code is explicitly disabled. Users of vLLM versions before 0.11.1 who load external model configurations are affected.

💻 Affected Systems

Products:

vLLM

Versions: All versions prior to 0.11.1

Operating Systems: All operating systems running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when loading any model configuration containing auto_map entries, regardless of trust_remote_code setting.

📦 What is this software?

Vllm by Vllm

View all CVEs affecting Vllm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary code, steal data, deploy ransomware, or pivot to other systems.

🟠

Likely Case

Data exfiltration, cryptocurrency mining, or backdoor installation on vulnerable vLLM instances.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are implemented.

🌐 Internet-Facing: HIGH - Attackers can host malicious repositories and trick users into loading them.

🏢 Internal Only: MEDIUM - Internal users could still load malicious configurations from compromised internal repositories.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the victim to load a malicious configuration file, which could be achieved through social engineering or supply chain attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.11.1

Vendor Advisory: https://github.com/vllm-project/vllm/security/advisories/GHSA-8fr4-5q9j-m8gm

Restart Required: Yes

Instructions:

1. Update vLLM to version 0.11.1 or later using pip: pip install --upgrade vllm>=0.11.1
2. Restart all vLLM services and processes
3. Verify the fix by checking the version

🔧 Temporary Workarounds

Disable remote code loading

all

Avoid loading any model configurations from untrusted sources or repositories containing auto_map entries.

Network restrictions

linux

Block outbound connections from vLLM instances to prevent fetching remote code.

iptables -A OUTPUT -p tcp --dport 443 -j DROP
iptables -A OUTPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Only load model configurations from trusted, verified sources with known integrity.
Implement strict network segmentation to isolate vLLM instances from untrusted networks.

🔍 How to Verify

Check if Vulnerable:

Check vLLM version: python -c "import vllm; print(vllm.__version__)" - if version is less than 0.11.1, system is vulnerable.

Check Version:

python -c "import vllm; print(vllm.__version__)"

Verify Fix Applied:

After updating, verify version is 0.11.1 or higher using the same command.

📡 Detection & Monitoring

Log Indicators:

Unexpected network connections to external repositories
Unusual Python module imports or executions
Errors related to Nemotron_Nano_VL_Config class

Network Indicators:

Outbound HTTP/HTTPS connections to unfamiliar repositories during model loading

SIEM Query:

source="vllm" AND ("auto_map" OR "Nemotron_Nano_VL_Config" OR "get_class_from_dynamic_module")

📊 Metadata

CVE ID: CVE-2025-66448

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 0.21% exploit probability (42.4th percentile)

Published: December 1, 2025

Last Updated: December 3, 2025

🔗 References

https://github.com/vllm-project/vllm/commit/ffb08379d8870a1a81ba82b72797f196838d0c86 Patch
https://github.com/vllm-project/vllm/pull/28126 Issue Tracking
https://github.com/vllm-project/vllm/security/advisories/GHSA-8fr4-5q9j-m8gm Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66448, you might also want to check these: