Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 1 pypi packages depend on vllm (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 0.10.1.
DescriptionCVE.org
vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.18.0, two model implementation files hardcode trust_remote_code=True when loading sub-components, bypassing the user's explicit --trust-remote-code=False security opt-out. This enables remote code execution via malicious model repositories even when the user has explicitly disabled remote code trust. Version 0.18.0 patches the issue.
AnalysisAI
Remote code execution is possible in vLLM inference and serving engine versions 0.10.1 through 0.17.x due to hardcoded trust_remote_code=True settings in two model implementation files that override users' explicit --trust-remote-code=False security configuration. Attackers can exploit this by hosting malicious model repositories that execute arbitrary code when loaded by vLLM, even when users have intentionally disabled remote code trust for security. Version 0.18.0 patches this vulnerability, with no public exploit identified at time of analysis and a CVSS score of 8.8 requiring user interaction to trigger.
Technical ContextAI
vLLM is a Python-based inference and serving engine optimized for large language models. The vulnerability stems from CWE-693 (Protection Mechanism Failure) where two model implementation files within the codebase contain hardcoded trust_remote_code=True parameters when invoking HuggingFace transformers' AutoModel.from_pretrained() or similar loading functions. This hardcoding occurs at the sub-component loading stage and bypasses the user-specified --trust-remote-code=False command-line flag that should propagate throughout the application. The trust_remote_code parameter in HuggingFace transformers controls whether arbitrary Python code embedded in model repositories (typically modeling.py files) can be executed during model loading. By forcing this to True regardless of user preference, the affected versions create a protection mechanism bypass that enables arbitrary code execution through malicious model configurations.
RemediationAI
Upgrade vLLM to version 0.18.0 or later, which contains the vendor-released patch that removes hardcoded trust_remote_code=True settings and properly respects user security preferences (see commit 00bd08edeee5dd4d4c13277c0114a464011acf72 at https://github.com/vllm-project/vllm/commit/00bd08edeee5dd4d4c13277c0114a464011acf72 and pull request https://github.com/vllm-project/vllm/pull/36192). Until patching is completed, organizations should implement strict model repository allowlisting to only load models from trusted internal sources or verified external repositories, avoid loading models from user-supplied URLs or untrusted third parties, and consider implementing network segmentation to isolate systems running vulnerable vLLM versions from external network access. Review all model loading operations to ensure they originate from authenticated and authorized sources only.
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated critical severity (CVSS 10.0
vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. Rated critical sev
Information exposure in vLLM inference engine versions 0.8.3 to before 0.14.1. Invalid image requests to the multimodal
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated high severity (CVSS 7.5), th
vLLM before version 0.14.1 contains a server-side request forgery vulnerability in the MediaConnector class where incons
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated medium severity (CVSS 6.5),
Vllm versions up to 0.12.0 is affected by allocation of resources without limits or throttling (CVSS 6.5).
Remote code execution in vLLM 0.10.1 through 0.13.x lets an attacker who controls the model repository or path run arbit
Server-Side Request Forgery in vLLM's multimodal MediaConnector allows remote attackers to coerce the inference server i
Denial of service in vllm 0.19.0's OpenAI-compatible serving path allows remote unauthenticated attackers to exhaust sch
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated critical severity (CVSS 9.0)
Remote code execution in vLLM versions prior to 0.22.1 allows attackers to backdoor production LLM inference deployments
Same weakness CWE-693 – Protection Mechanism Failure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16478