SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using pickle.loads() without authentication.
The ZMQ broker in the multimodal generation module (scheduler_client.py) accepts data transmitted over the network and processes it with the pickle.loads() function without prior verification of the sender's identity. Pickle deserialization allows embedding arbitrary Python code in the transmitted object, which will be executed automatically during deserialization. Since the endpoint is available over the network without authentication, any attacker with access to the ZMQ broker port can send a crafted payload and take control of the system.
An attacker can execute arbitrary code in the context of the SGLang process on the server, which in practice means complete takeover of the machine — data theft, backdoor installation, or further lateral movement in the network.
SGLang should be updated to version v0.5.10 or later, in which the issue was fixed according to pull request #20904. As additional protection, network access to the ZMQ broker port should be restricted using a firewall so that it is accessible only from trusted hosts.
SGLang (Lmsys SGLang) — versions prior to v0.5.10 in which the multimodal generation module is active
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLmsys Sglang
APPLmsys0.5.5 – 0.5.9
Related vulnerabilities
RCE w SGLang przez niebezpieczną deserializację pickle na gnieździe ROUTER
SGLang: path traversal umożliwiający zapis dowolnych plików bez uwierzytelnienia
RCE przez niebezpieczną deserializację w SGLang (dill.loads)
SGLang: RCE przez niezabezpieczony silnik Jinja2 w endpoincie reranking
SGLang: nieuwierzytelnione RCE przez deserializację pickle w module disaggregation