What happened
Prior to vLLM 0.22.1, the official vLLM Dockerfile installed the flashinfer-jit-cache package from a custom index (flashinfer.ai/whl/) using --extra-index-url, while UV_INDEX_STRATEGY='unsafe-best-match' was set globally. The package name was not registered on PyPI. An attacker who registers flashinfer-jit-cache on PyPI with a sufficiently high version number (e.g. 0.6.11.post2) can execute arbitrary code as root during every Docker build, backdooring every resulting container image. NVD confirms CVSS 8.8 High, published 2026-06-22.
Why it matters
This is a supply-chain attack against vLLM's official Docker image build process. Any organization building vLLM from the official Dockerfile is vulnerable to having their production LLM serving containers silently backdoored, enabling exfiltration of all user prompts, API credentials, model weights, and secrets at container startup time — with root-level persistence.
Attack vector
Attacker registers flashinfer-jit-cache on PyPI with a higher version than the custom-index package; UV's unsafe-best-match strategy resolves to the PyPI version during docker build, executing attacker code as root
Affected systems
vLLM Dockerfile builds < 0.22.1
Mitigation
Upgrade to vLLM 0.22.1 which patches the Dockerfile. Advisory: https://github.com/vllm-project/vllm/security/advisories/GHSA-jrf6-vqxq-pjv2