CVE-2025-66448 is a critical remote code execution vulnerability found in the vllm-project's vllm inference engine for large language models, affecting all versions prior to 0.11.1. The root cause lies in the Nemotron_Nano_VL_Config class, which processes model configurations containing an auto_map entry. This entry is resolved using the function get_class_from_dynamic_module(...), which dynamically fetches and instantiates Python classes from remote repositories. Crucially, this dynamic code loading occurs regardless of the trust_remote_code parameter setting, which is intended to prevent execution of untrusted remote code. An attacker can exploit this by publishing a seemingly benign frontend repository with a config.json that references a malicious backend repository via auto_map. When the vulnerable vllm instance loads this frontend, it will silently execute the attacker's code on the host system. This vulnerability enables an attacker to execute arbitrary code remotely, potentially leading to full system compromise, data theft, or disruption of AI services. The vulnerability has a CVSS v3.1 score of 7.1, indicating high severity with network attack vector, high impact on confidentiality, integrity, and availability, but requiring low privileges and user interaction. No known exploits are currently reported in the wild. The issue is resolved in vllm version 0.11.1 by preventing unauthorized remote code execution during model config loading.

For European organizations, the impact of CVE-2025-66448 can be significant, especially for those leveraging vllm in AI-driven applications, research, or production environments. Successful exploitation allows attackers to execute arbitrary Python code remotely, potentially leading to full system compromise. This threatens the confidentiality of sensitive data processed by AI models, the integrity of AI workflows and outputs, and the availability of critical AI services. Organizations in sectors such as finance, healthcare, telecommunications, and government that rely on AI inference engines are particularly at risk. Additionally, compromised AI infrastructure could be used as a foothold for lateral movement within networks or for launching further attacks. The vulnerability undermines trust in AI supply chains and model provenance, which are critical for compliance with European data protection regulations like GDPR. Given the growing adoption of AI technologies across Europe, the threat could disrupt business operations and damage reputations if exploited.

To mitigate CVE-2025-66448, European organizations should immediately upgrade all vllm deployments to version 0.11.1 or later, where the vulnerability is fixed. Until upgrades are complete, organizations should enforce strict validation and vetting of all model configurations and repositories before loading them into vllm, ensuring no untrusted or unknown remote code is referenced. Network-level controls should be implemented to restrict vllm hosts from accessing untrusted external repositories or URLs. Employ application whitelisting and runtime monitoring to detect and block unauthorized code execution. Additionally, organizations should audit their AI supply chains to verify the provenance and integrity of model configurations and dependencies. Security teams should monitor for unusual activity on systems running vllm and prepare incident response plans for potential exploitation. Finally, raising awareness among developers and data scientists about the risks of loading untrusted model configurations is essential to prevent inadvertent exposure.