SGLang' encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module, which deserializes untrusted data using pickle.loads() without authentication.
The disaggregation module in SGLang receives network data and deserializes it directly using the pickle.loads() function without prior authentication of the sender or content validation. The Python pickle library by design allows arbitrary code execution during deserialization of a crafted object. An attacker can send a malicious pickle payload to the listening endpoint, resulting in immediate code execution in the context of the SGLang process.
An attacker without any privileges, acting remotely over the network, can execute arbitrary code on the server hosting SGLang, gaining full control over the confidentiality, integrity, and availability of the system.
SGLang should be updated to version v0.5.10 or later, where the issue has been resolved according to pull request #20904. Additionally, it is recommended to restrict network access to the disaggregation module ports exclusively to trusted hosts (firewall, network segmentation) as an additional layer of protection.
SGLang (Lmsys Sglang) — versions before v0.5.10 using the encoder parallel disaggregation module (encode_receiver.py file)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLmsys Sglang
APPLmsys0.5.5 – 0.5.9
Related vulnerabilities
RCE w SGLang przez niebezpieczną deserializację pickle na gnieździe ROUTER
SGLang: path traversal umożliwiający zapis dowolnych plików bez uwierzytelnienia
RCE przez niebezpieczną deserializację w SGLang (dill.loads)
SGLang: RCE przez niezabezpieczony silnik Jinja2 w endpoincie reranking
RCE w SGLang przez deserializację pickle bez uwierzytelnienia (ZMQ broker)