SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation.
When SGLang is run with the --enable-custom-logit-processor flag, the application deserializes Python objects using the dill.loads() function without any validation or verification of input data. The dill library allows serialization and deserialization of almost any Python objects, including executable code. An attacker can send a specially crafted malicious payload over the network that, when deserialized, causes arbitrary code execution in the context of the SGLang process.
An unauthenticated remote attacker can execute arbitrary code on the server (RCE), leading to complete system compromise, disclosure of sensitive data, data modification, or disruption of service availability.
Apply patches available from the vendor according to references. Until updates are applied, do not run SGLang with the --enable-custom-logit-processor option, especially in environments accessible from untrusted networks. Access to SGLang endpoints should be restricted by firewall to trusted sources only.
Lmsys SGLang — installations run with the --enable-custom-logit-processor option; specific versions indicated in vendor references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLmsys Sglang
APPLmsys0.5.10
Related vulnerabilities
RCE w SGLang przez niebezpieczną deserializację pickle na gnieździe ROUTER
SGLang: path traversal umożliwiający zapis dowolnych plików bez uwierzytelnienia
SGLang: RCE przez niezabezpieczony silnik Jinja2 w endpoincie reranking
RCE w SGLang przez deserializację pickle bez uwierzytelnienia (ZMQ broker)
SGLang: nieuwierzytelnione RCE przez deserializację pickle w module disaggregation