GHSA-79J6-G2M3-JGFW
Vulnerability from github – Published: 2025-08-21 14:46 – Updated: 2025-08-21 14:46
VLAI?
Summary
vLLM has remote code execution vulnerability in the tool call parser for Qwen3-Coder
Details
Summary
An unsafe deserialization vulnerability allows any authenticated user to execute arbitrary code on the server if they are able to get the model to pass the code as an argument to a tool call.
Details
vLLM's Qwen3 Coder tool parser contains a code execution path that uses Python's eval() function to parse tool call parameters. This occurs during the parameter conversion process when the parser attempts to handle unknown data types.
This code path is reached when:
1. Tool calling is enabled (--enable-auto-tool-choice)
2. The qwen3_coder parser is specified (--tool-call-parser qwen3_coder)
3. The parameter type is not explicitly defined or recognized
Impact
Remote Code Execution via Python's eval() function.
Severity ?
8.8 (High)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "vllm"
},
"ranges": [
{
"events": [
{
"introduced": "0.10.0"
},
{
"fixed": "0.10.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-9141"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-21T14:46:51Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nAn unsafe deserialization vulnerability allows any authenticated user to execute arbitrary code on the server if they are able to get the model to pass the code as an argument to a tool call.\n\n### Details\n vLLM\u0027s [Qwen3 Coder tool parser](https://github.com/vllm-project/vllm/blob/main/vllm/entrypoints/openai/tool_parsers/qwen3coder_tool_parser.py) contains a code execution path that uses Python\u0027s `eval()` function to parse tool call parameters. This occurs during the parameter conversion process when the parser attempts to handle unknown data types.\n\nThis code path is reached when:\n1. Tool calling is enabled (`--enable-auto-tool-choice`)\n2. The qwen3_coder parser is specified (`--tool-call-parser qwen3_coder`)\n3. The parameter type is not explicitly defined or recognized\n\n### Impact\nRemote Code Execution via Python\u0027s `eval()` function.",
"id": "GHSA-79j6-g2m3-jgfw",
"modified": "2025-08-21T14:46:51Z",
"published": "2025-08-21T14:46:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-79j6-g2m3-jgfw"
},
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/pull/21396"
},
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/commit/4594fc3b281713bd3d7634405b4a1393af40d294"
},
{
"type": "PACKAGE",
"url": "https://github.com/vllm-project/vllm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "vLLM has remote code execution vulnerability in the tool call parser for Qwen3-Coder"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…