vLLM Remote Code Execution Vulnerability in Nemotron_Nano_VL_Config

A critical remote code execution vulnerability exists in vLLM versions prior to 0.11.1, specifically within the Nemotron_Nano_VL_Config class. The issue arises when vLLM loads a model configuration containing an auto_map entry. The configuration class resolves this mapping by fetching a class from a remote repository, which can then execute arbitrary Python code on the local machine. This vulnerability bypasses the trust_remote_code=False setting, allowing attackers to execute malicious code by manipulating the model configuration.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the host machine.

Reproduction

To reproduce this vulnerability, create a frontend repository that includes a config.json file. This file should contain an auto_map entry that points to a malicious backend repository. When the frontend is loaded, the code from the backend repository will be executed on the local machine, demonstrating the remote code execution vulnerability.

Remediation

Users can upgrade to vLLM version 0.11.1 or later to address this vulnerability.