CVE-2025-66448

HighRCE

Published: 01 December 2025

Published

01 December 2025

Modified

03 December 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0004 11.3th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66448 is a high-severity Code Injection (CWE-94) vulnerability in Vllm Vllm. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 11.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring timely patching of vLLM to version 0.11.1 or later, which fixes the remote code execution in Nemotron_Nano_VL_Config.

SC-18 Mobile Code good match

prevent

Restricts execution of mobile code, directly preventing the dynamic fetching and instantiation of Python code from remote repositories via auto_map entries in model configs.

SI-10 Information Input Validation good match

prevent

Enforces validation of model configuration inputs like auto_map to block malicious remote code fetches that bypass trust_remote_code settings.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1195.001 Compromise Software Dependencies and Development Tools Initial Access

Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.

attack.mitre.org →

T1059.006 Python Execution

Adversaries may abuse Python commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote code execution via crafted model configurations (T1203 Exploitation for Client Execution), facilitates supply chain compromise through malicious model repositories and dependencies (T1195.001), and directly results in arbitrary Python code execution (T1059.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.11.1, vllm has a critical remote code execution vector in a config class named Nemotron_Nano_VL_Config. When vllm loads a model config that contains an auto_map entry,…

the config class resolves that mapping with get_class_from_dynamic_module(...) and immediately instantiates the returned class. This fetches and executes Python from the remote repository referenced in the auto_map string. Crucially, this happens even when the caller explicitly sets trust_remote_code=False in vllm.transformers_utils.config.get_config. In practice, an attacker can publish a benign-looking frontend repo whose config.json points via auto_map to a separate malicious backend repo; loading the frontend will silently run the backend’s code on the victim host. This vulnerability is fixed in 0.11.1.

Deeper analysisAI

CVE-2025-66448 is a remote code execution vulnerability in vLLM, an inference and serving engine for large language models, affecting versions prior to 0.11.1. The issue resides in the Nemotron_Nano_VL_Config class, where loading a model configuration containing an auto_map entry triggers resolution via get_class_from_dynamic_module, which fetches and instantiates Python code from a remote repository specified in the auto_map string. This execution occurs even when the caller explicitly sets trust_remote_code=False in vllm.transformers_utils.config.get_config, bypassing intended security controls.

An attacker can exploit this by publishing a seemingly benign frontend repository with a config.json file that includes an auto_map pointing to a separate malicious backend repository. A victim loading the frontend model config will silently fetch and execute the backend's arbitrary Python code on their host. Per the CVSS v3.1 score of 7.1 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H), exploitation requires network access, high attack complexity, low privileges, and user interaction, but yields high impacts on confidentiality, integrity, and availability, classified under CWE-94 (code injection).

The vulnerability is addressed in vLLM version 0.11.1. Official mitigation details are available in the project's security advisory at GHSA-8fr4-5q9j-m8gm, the fixing pull request at github.com/vllm-project/vllm/pull/28126, and the commit ffb08379d8870a1a81ba82b72797f196838d0c86, which practitioners should review for patch implementation guidance.

This flaw highlights risks in AI/ML inference engines handling untrusted model configurations from remote sources, with no reported real-world exploitation as of the CVE publication on 2025-12-01.

Details

CWE(s): CWE-94

Affected Products

vllm

≤ 0.11.1

CVEs Like This One

CVE-2026-22807Same product: Vllm Vllm

CVE-2026-27893Same product: Vllm Vllm

CVE-2026-22773Same product: Vllm Vllm

CVE-2026-22778Same product: Vllm Vllm

CVE-2026-25960Same product: Vllm Vllm

CVE-2025-29783Same product: Vllm Vllm

CVE-2025-24357Same product: Vllm Vllm

CVE-2024-11041Same product: Vllm Vllm

CVE-2025-62164Same product: Vllm Vllm

CVE-2026-24779Same product: Vllm Vllm

References

https://github.com/vllm-project/vllm/commit/ffb08379d8870a1a81ba82b72797f196838d0c86
Patch · security-advisories@github.com
https://github.com/vllm-project/vllm/pull/28126
Issue Tracking · security-advisories@github.com
https://github.com/vllm-project/vllm/security/advisories/GHSA-8fr4-5q9j-m8gm
Vendor Advisory · security-advisories@github.com