The vllm-metal inference backend in Docker Model Runner on macOS automatically sets trust_remote_code=True when loading model tokenizers and executes code without sandboxing. This flaw allows transformers.AutoTokenizer.from_pretrained() to import and run arbitrary Python files that are bundled with any model pulled from an OCI registry. When inference is triggered, those files run as the Docker Desktop user, giving an attacker the ability to execute code on the Docker host.

Affected Systems The vulnerability affects Docker Desktop’s Docker Model Runner on macOS. Any Docker Desktop instance that has the Model Runner enabled and uses the vllm-metal inference backend is susceptible. No specific version range is listed, so all current and future releases that retain this behavior remain at risk.

With a CVSS score of 8.8 this issue is classified as high severity. The EPSS score is not available, and it is not currently listed in CISA’s KEV catalog. The attack vector is remote: an attacker can place a malicious model in a container on the Docker network, call the model-runner.docker.internal API to pull the model, and then trigger inference to cause arbitrary code execution on the host. No special privileges beyond the ability to run a container are required, making the exploitation path straightforward and likely given the widespread use of Docker.