8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-9141

GHSA ID

GHSA-79j6-g2m3-jgfw

EPSS Score

CWE

CWE-502

Published

8/21/2025

Updated

8/21/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-9141

CVE-2025-9141: vLLM has remote code execution vulnerability in the tool call parser for Qwen3-Coder

Summary

An unsafe deserialization vulnerability allows any authenticated user to execute arbitrary code on the server if they are able to get the model to pass the code as an argument to a tool call.

Details

vLLM's Qwen3 Coder tool parser contains a code execution path that uses Python's eval() function to parse tool call parameters. This occurs during the parameter conversion process when the parser attempts to handle unknown data types.

This code path is reached when:

Tool calling is enabled (--enable-auto-tool-choice)
The qwen3_coder parser is specified (--tool-call-parser qwen3_coder)
The parameter type is not explicitly defined or recognized

Impact

Remote Code Execution via Python's eval() function.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-9141

GHSA ID

GHSA-79j6-g2m3-jgfw

EPSS Score

CWE

CWE-502

Published

8/21/2025

Updated

8/21/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
vllm	pip	>= 0.10.0, < 0.10.1.1	0.10.1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a classic case of unsafe deserialization using eval(). The analysis of the provided commit 4594fc3b281713bd3d7634405b4a1393af40d294 shows the addition of the Qwen3CoderToolParser. Within this new parser, the _parse_xml_function_call method is responsible for parsing tool calls from the model's output. A nested helper function, convert_param_value, is used to cast parameter values into their correct Python types. The vulnerability is in the fallback mechanism of this type conversion. If the provided parameter value is not a standard type and cannot be decoded as JSON, the code executes eval() on the value. This is a critical security flaw. An attacker can craft input that causes the language model to generate a tool call containing a malicious payload. When the vLLM server parses this tool call, the payload is passed to eval(), resulting in arbitrary code execution. The vulnerable function that would appear in a runtime profile is Qwen3CoderToolParser._parse_xml_function_call, as it orchestrates the parsing process and contains the direct call to the vulnerable logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry *n uns*** **s*ri*liz*tion vuln*r**ility *llows *ny *ut**nti**t** us*r to *x**ut* *r*itr*ry *o** on t** s*rv*r i* t**y *r* **l* to **t t** mo**l to p*ss t** *o** *s *n *r*um*nt to * tool **ll. ### **t*ils vLLM's [Qw*n* *o**r tool p*rs*r]

Reasoning

T** vuln*r**ility is * *l*ssi* **s* o* uns*** **s*ri*liz*tion usin* `*v*l()`. T** *n*lysis o* t** provi*** *ommit `****************************************` s*ows t** ***ition o* t** `Qw*n**o**rToolP*rs*r`. Wit*in t*is n*w p*rs*r, t** `_p*rs*_xml_*un

8.8

Basic Information

Concerned about an active attack path?

CVE-2025-9141: vLLM has remote code execution vulnerability in the tool call parser for Qwen3-Coder

Summary

Details

Impact

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI