GHSA-2PC9-4J83-QJMR

Vulnerability from github – Published: 2026-01-21 16:12 – Updated: 2026-01-22 15:38
VLAI?
Summary
vLLM affected by RCE via auto_map dynamic module loading during model initialization
Details

Summary

vLLM loads Hugging Face auto_map dynamic modules during model resolution without gating on trust_remote_code, allowing attacker-controlled Python code in a model repo/path to execute at server startup.

Impact

An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve arbitrary code execution on the vLLM host during model load.
This happens before any request handling and does not require API access.

Affected Versions

All versions where vllm/model_executor/models/registry.py resolves auto_map entries with try_get_class_from_dynamic_module without checking trust_remote_code (at least current main).

Details

During model resolution, vLLM unconditionally iterates auto_map entries from the model config and calls try_get_class_from_dynamic_module, which delegates to Transformers’ get_class_from_dynamic_module and executes the module code.

This occurs even when trust_remote_code is false, allowing a malicious model repo to embed code in a referenced module and have it executed during initialization.

Relevant code

  • vllm/model_executor/models/registry.py:856 — auto_map resolution
  • vllm/transformers_utils/dynamic_module.py:13 — delegates to get_class_from_dynamic_module, which executes code

Fixes

  • https://github.com/vllm-project/vllm/pull/32194

Credits

Reported by bugbunny.ai

Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vllm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.10.1"
            },
            {
              "fixed": "0.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22807"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-21T16:12:54Z",
    "nvd_published_at": "2026-01-21T22:15:49Z",
    "severity": "HIGH"
  },
  "details": "# Summary\n\nvLLM loads Hugging Face `auto_map` dynamic modules during model resolution **without gating on `trust_remote_code`**, allowing attacker-controlled Python code in a model repo/path to execute at server startup.\n\n---\n\n# Impact\n\nAn attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve **arbitrary code execution** on the vLLM host during model load.  \nThis happens **before any request handling** and does **not require API access**.\n\n---\n\n# Affected Versions\n\nAll versions where `vllm/model_executor/models/registry.py` resolves `auto_map` entries with `try_get_class_from_dynamic_module` **without checking `trust_remote_code`** (at least current `main`).\n\n---\n\n# Details\n\nDuring model resolution, vLLM unconditionally iterates `auto_map` entries from the model config and calls `try_get_class_from_dynamic_module`, which delegates to Transformers\u2019 `get_class_from_dynamic_module` and **executes the module code**.\n\nThis occurs even when `trust_remote_code` is `false`, allowing a malicious model repo to embed code in a referenced module and have it executed during initialization.\n\n### Relevant code\n\n- `vllm/model_executor/models/registry.py:856` \u2014 auto_map resolution  \n- `vllm/transformers_utils/dynamic_module.py:13` \u2014 delegates to `get_class_from_dynamic_module`, which executes code\n\n---\n\n# Fixes\n\n* https://github.com/vllm-project/vllm/pull/32194\n\n# Credits\n\nReported by **bugbunny.ai**",
  "id": "GHSA-2pc9-4j83-qjmr",
  "modified": "2026-01-22T15:38:33Z",
  "published": "2026-01-21T16:12:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-2pc9-4j83-qjmr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22807"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/pull/32194"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/commit/78d13ea9de4b1ce5e4d8a5af9738fea71fb024e5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vllm-project/vllm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/releases/tag/v0.14.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "vLLM affected by RCE via auto_map dynamic module loading during model initialization"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.