CVE-2025-9141

Description

### Summary An unsafe deserialization vulnerability allows any authenticated user to execute arbitrary code on the server if they are able to get the model to pass the code as an argument to a tool call. ### Details vLLM's [Qwen3 Coder tool parser](https://github.com/vllm-project/vllm/blob/main/vllm/entrypoints/openai/tool_parsers/qwen3coder_tool_parser.py) contains a code execution path that uses Python's `eval()` function to parse tool call parameters. This occurs during the parameter conversion process when the parser attempts to handle unknown data types. This code path is reached when: 1. Tool calling is enabled (`--enable-auto-tool-choice`) 2. The qwen3_coder parser is specified (`--tool-call-parser qwen3_coder`) 3. The parameter type is not explicitly defined or recognized ### Impact Remote Code Execution via Python's `eval()` function.

How to fix CVE-2025-9141

To remediate CVE-2025-9141, upgrade the affected package to a fixed version below.

• —upgrade to 0.10.1.1 or later

Is CVE-2025-9141 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2025-9141.

Affected packages (1)

• >= 0.10.0, < 0.10.1.1

CVSS scores

References (4)

• PATCHgithub.com/vllm-project/vllm
• WEBgithub.com/vllm-project/vllm/commit/4594fc3b281713bd3d7634405b4a1393af40d294
• WEBgithub.com/vllm-project/vllm/pull/21396
• WEBgithub.com/vllm-project/vllm/security/advisories/GHSA-79j6-g2m3-jgfw