vLLM has remote code execution vulnerability in the tool call parser for Qwen3-Coder
Description
Summary
An unsafe deserialization vulnerability allows any authenticated user to execute arbitrary code on the server if they are able to get the model to pass the code as an argument to a tool call.
### Details vLLM's Qwen3 Coder tool parser contains a code execution path that uses Python's eval() function to parse tool call parameters. This occurs during the parameter conversion process when the parser attempts to handle unknown data types.
This code path is reached when: 1. Tool calling is enabled (--enable-auto-tool-choice) 2. The qwen3_coder parser is specified (--tool-call-parser qwen3_coder) 3. The parameter type is not explicitly defined or recognized
Impact
Remote Code Execution via Python's eval() function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vllmPyPI | >= 0.10.0, < 0.10.1.1 | 0.10.1.1 |
Affected products
4- osv-coords3 versionspkg:apk/chainguard/tritonserver-backend-vllm-cuda-12.9pkg:apk/chainguard/tritonserver-backend-vllm-meta-cuda-12.9pkg:pypi/vllm
< 25.7.1_git20250821-r1+ 2 more
- (no CPE)range: < 25.7.1_git20250821-r1
- (no CPE)range: < 25.7.1_git20250821-r1
- (no CPE)range: >= 0.10.0, < 0.10.1.1
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.