Plataforma
python
Componente
vllm
Corrigido em
0.11.2
0.11.1
CVE-2025-66448 describes a critical Remote Code Execution (RCE) vulnerability affecting vllm versions up to 0.9.2. This flaw allows attackers to execute arbitrary code on systems running vulnerable vllm instances by manipulating model configuration files. The vulnerability stems from the way vllm handles dynamic module resolution, bypassing security measures intended to prevent remote code execution. A fix is available in version 0.11.1.
The impact of this vulnerability is severe. An attacker can achieve remote code execution simply by providing a specially crafted model configuration file to a vulnerable vllm instance. This allows them to gain complete control over the affected system, potentially leading to data theft, system compromise, and further lateral movement within the network. The ability to bypass the trustremotecode=False setting significantly increases the attack surface and makes exploitation easier. This vulnerability shares similarities with other remote code execution flaws where dynamic code loading is mishandled, potentially allowing attackers to inject malicious code into the application's runtime environment.
This vulnerability was publicly disclosed on 2025-12-02. The CVSS score is 7.1 (HIGH). The presence of a clear attack vector and the ability to bypass security settings suggest a medium probability of exploitation. No public proof-of-concept (PoC) code has been publicly released as of the disclosure date, but the vulnerability's nature makes it likely that one will emerge. It is not currently listed on the CISA KEV catalog.
Organizations deploying vllm for large language model inference, particularly those using custom model configurations or integrating vllm into automated pipelines, are at significant risk. Shared hosting environments where multiple users can upload model configurations are especially vulnerable, as a malicious configuration from one user could compromise the entire system.
• python / supply-chain:
import os
import subprocess
def check_vllm_version():
try:
result = subprocess.check_output(['pip', 'show', 'vllm'], stderr=subprocess.STDOUT)
version = result.decode('utf-8').split('Version: ')[1].strip()
if version <= '0.9.2':
print(f"vllm version is vulnerable: {version}")
else:
print(f"vllm version is patched: {version}")
except FileNotFoundError:
print("vllm is not installed.")
except subprocess.CalledProcessError as e:
print(f"Error checking vllm version: {e}")
check_vllm_version()• linux / server:
ps aux | grep -i vllm
journalctl -u vllm | grep -i "auto_map"• generic web:
Inspect model configuration files for suspicious auto_map entries pointing to external repositories. Examine access logs for requests related to model loading and configuration.
disclosure
patch
Status do Exploit
EPSS
0.21% (percentil 42%)
CISA SSVC
Vetor CVSS
The primary mitigation is to upgrade to vllm version 0.11.1 or later, which addresses the vulnerability. If upgrading immediately is not feasible, consider implementing strict input validation on model configuration files to prevent the inclusion of malicious auto_map entries. While not a complete solution, this can reduce the attack surface. Monitor vllm logs for suspicious activity related to dynamic module loading or unexpected Python code execution. Implement network segmentation to limit the potential blast radius if a system is compromised. After upgrading, verify the fix by attempting to load a known malicious configuration file and confirming that it is rejected or handled safely.
Actualice la biblioteca vLLM a la versión 0.11.1 o superior. Esto corrige la vulnerabilidad de ejecución remota de código. Puede actualizar usando `pip install vllm==0.11.1` o una versión más reciente.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-66448 is a Remote Code Execution vulnerability in vllm versions up to 0.9.2. It allows attackers to execute arbitrary code by crafting malicious model configuration files.
You are affected if you are running vllm versions 0.9.2 or earlier. Check your vllm version using pip show vllm.
Upgrade to vllm version 0.11.1 or later. If immediate upgrade is not possible, implement strict input validation on model configuration files.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests a potential for active exploitation.
Refer to the vllm project's official security advisories and release notes on their GitHub repository: [https://github.com/vllm-project/vllm](https://github.com/vllm-project/vllm)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo requirements.txt e descubra na hora se você está afetado.