GitHub Advisory — vLLM trust_remote_code bypass RCE
AI relevance: vLLM is a common LLM inference server, and this bug sits in its model config loading path, letting a malicious model repo execute code on AI serving hosts.
- Issue: vLLM’s
Nemotron_Nano_VL_Configresolvesauto_mapentries and instantiates the returned class automatically. - Bypass: This code path can fetch and execute Python from a remote repo even when
trust_remote_code=false. - Exploit setup: A benign-looking “frontend” model repo can point its
config.jsonto a separate “backend” repo containing malicious code. - Trigger: The attacker only needs the victim to load the model config with vLLM utilities; no extra interaction required.
- Impact: Arbitrary code execution on the host running the model loader, affecting services, CI, or dev machines.
- Fix: The advisory links to a patch that tightens this config path and enforces the intended safety boundary.
Why it matters
Model loaders are part of the AI supply chain. If trust_remote_code can be bypassed, a single “safe-looking” model repo can become a silent RCE vector in inference servers and build pipelines.
What to do
- Patch: Apply the vLLM fix referenced in the advisory.
- Restrict sources: Only load models from vetted repositories; avoid unreviewed community repos in production pipelines.
- Harden hosts: Run model loaders with minimal privileges and egress controls to reduce blast radius.