Docker Model Runner vllm-metal Inference Backend Unconditional Trust in Model Tokenizers Leading to Arbitrary Code Execution

A vulnerability exists in the vllm-metal inference backend of Docker Model Runner on macOS. The issue arises because the backend automatically sets trust_remote_code=True when loading model tokenizers, without any sandboxing. This behavior allows transformers.AutoTokenizer.from_pretrained() to execute arbitrary Python files from models retrieved from an OCI registry. Consequently, this leads to arbitrary code execution on the Docker host, executed as the Docker Desktop user, whenever inference is performed. The vulnerability can be exploited by any container on the Docker network that calls the model-runner.docker.internal API to fetch a malicious model and request inference.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the Docker host, as the Docker Desktop user.

Reproduction

To reproduce this vulnerability, load a model from an OCI registry that includes malicious Python files into the vllm-metal inference backend of Docker Model Runner on macOS. The backend will automatically trust the model's tokenizer and execute the malicious code without sandboxing. Once the code is executed, it will run on the Docker host as the Docker Desktop user.