vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out

Summary

Two model implementation files hardcode trust_remote_code=True when loading sub-components, bypassing the user's explicit --trust-remote-code=False security opt-out. This enables remote code execution via malicious model
repositories even when the user has explicitly disabled remote code trust.

Details

Affected files (latest main branch):

1. vllm/model_executor/models/nemotron_vl.py:430

vision_model = AutoModel.from_config(config.vision_config, trust_remote_code=True)

2. vllm/model_executor/models/kimi_k25.py:177

  cached_get_image_processor(self.ctx.model_config.model, trust_remote_code=True)

Both pass a hardcoded trust_remote_code=True to HuggingFace API calls, overriding the user's global --trust-remote-code=False setting.

Relation to prior CVEs:

• CVE-2025-66448 fixed auto_map resolution in vllm/transformers_utils/config.py (config loading path)
• CVE-2026-22807 fixed broader auto_map at startup
• Both fixes are present in the current code. These hardcoded instances in model files survived both patches — different code paths.

Impact

Remote code execution. An attacker can craft a malicious model repository that executes arbitrary Python code when loaded by vLLM, even when the user has explicitly set --trust-remote-code=False. This undermines the security guarantee
that trust_remote_code=False is intended to provide.

Remediation: Replace hardcoded trust_remote_code=True with self.config.model_config.trust_remote_code in both files. Raise a clear error if the model component requires remote code but the user hasn't opted in.