SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.chat_template is loaded, as the Jinja2 chat templates are rendered using an unsandboxed jinja2.Environment().
The /v1/rerank endpoint in SGLang renders Jinja2 templates defined in the tokenizer.chat_template field of the model file. Rendering is performed using an unsecured jinja2.Environment() object that does not apply sandboxing. An attacker can provide a model file containing a malicious Jinja2 template, whose execution leads to arbitrary code execution on the server side. The lack of authentication and complexity restrictions (AC:L, PR:N, UI:N) makes exploitation exceptionally simple.
An attacker can gain full control of the server — read, modify, or delete data (C:H, I:H, A:H on the CVSS scale), as well as execute arbitrary system commands in the context of the SGLang process.
Patches available in the project repository should be applied (pull request sgl-project/sglang#23660). Until the fix is implemented, it is recommended to restrict network access to the /v1/rerank endpoint only to trusted hosts and avoid loading model files from untrusted sources.
SGLang version 0.5.9 and potentially other versions with an unsecured Jinja2 engine — the exact version range is indicated in the producer's references (pull request #23660 in the sgl-project/sglang repository).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLmsys Sglang
APPLmsys< 0.5.11
Related vulnerabilities
RCE w SGLang przez niebezpieczną deserializację pickle na gnieździe ROUTER
SGLang: path traversal umożliwiający zapis dowolnych plików bez uwierzytelnienia
RCE przez niebezpieczną deserializację w SGLang (dill.loads)
RCE w SGLang przez deserializację pickle bez uwierzytelnienia (ZMQ broker)
SGLang: nieuwierzytelnione RCE przez deserializację pickle w module disaggregation