CVE-2025-9141

Summary

An unsafe deserialization vulnerability allows any authenticated user to execute arbitrary code on the server if they are able to get the model to pass the code as an argument to a tool call.

Details

vLLM's Qwen3 Coder tool parser contains a code execution path that uses Python's eval() function to parse tool call parameters. This occurs during the parameter conversion process when the parser attempts to handle unknown data types.

This code path is reached when:

Tool calling is enabled (--enable-auto-tool-choice)
The qwen3_coder parser is specified (--tool-call-parser qwen3_coder)
The parameter type is not explicitly defined or recognized

Impact

Remote Code Execution via Python's eval() function.

Published: Aug 21, 2025
Updated: Aug 22, 2025
CVE: CVE-2025-9141
GHSA: GHSA-79j6-g2m3-jgfw
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-502

OWASP TOP 10:

A8 - Insecure Deserialization

Affected Software
References

Software	From	Fixed in
vllm	0.10.0	0.10.1.1

Vulnerability Database

CVE-2025-9141

Summary

Details

Impact