vllm Trust Remote Code Bypass Vulnerability in Model Implementations Allowing Remote Code Execution

A remote code execution vulnerability exists in vllm-project/vllm version 0.14.1, where the 'trust_remote_code=True' parameter is hardcoded in the model implementation files 'vllm/model_executor/models/nemotron_vl.py' and 'vllm/model_executor/models/kimi_k25.py'. This hardcoding bypasses the user's explicit 'trust_remote_code=False' setting, allowing remote code execution through malicious Hugging Face model repositories. The vulnerability arises from an incomplete fix for two prior CVEs, affecting deployments that load NemotronVL or KimiK25 models without the 'trust_remote_code' option.

Impact

Exploitation of this vulnerability leads to remote code execution via malicious models on Hugging Face, while also bypassing the user's security control of 'trust_remote_code=False'.

Reproduction

To reproduce this vulnerability, create a model repository on Hugging Face with the 'NemotronVLForCausalLM' architecture. Use a standard 'config.json' that doesn't require custom code for the main model. In the 'vision_config' section, set 'auto_map' to reference a custom model class that includes malicious code. Then, upload the model repository and start the vllm server with the 'trust_remote_code=False' option. The hardcoded 'trust_remote_code=True' in the model implementation will be exploited, leading to remote code execution.

Remediation

The hardcoded 'trust_remote_code=True' should be replaced with the user's configured setting. For 'nemotron_vl.py', modify the vision model initialization to respect the user's 'trust_remote_code' preference. For 'kimi_k25.py', update the image processor loading to use the correct 'trust_remote_code' setting from the model configuration.