Technical description
vLLM version 0.14.1 hardcodes trust_remote_code=True in two model implementation files (vllm/model_executor/models/nemotron_vl.py and vllm/model_executor/models/kimi_k25.py). This silently overrides any user-supplied --trust-remote-code=False flag, allowing arbitrary code from model repositories to execute during model loading even when the operator has explicitly disabled this capability.
Attack vector
An attacker who can influence the model repository loaded by vLLM (e.g., via a poisoned HuggingFace model or supply-chain compromise) can execute arbitrary code during model loading on vLLM instances running Nemotron VL or Kimi K2.5 models, regardless of the operator's explicit --trust-remote-code=False security configuration. CVSS 8.8 (High); reported via huntr bounty platform.
Affected systems
vLLM version 0.14.1 — specifically Nemotron VL and Kimi K2.5 model implementations. Any vLLM deployment that loads these model types is affected regardless of the explicit trust_remote_code flag setting.
Mitigation
Update vLLM beyond 0.14.1. Audit all vLLM deployment configurations to identify which model types are loaded. Until patched, treat Nemotron VL and Kimi K2.5 model sources as requiring full supply-chain trust verification regardless of the trust_remote_code flag.