SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet.
The scheduler of the multimodal module in SGLang binds the ROUTER socket to address 0.0.0.0, which accepts connections from all network interfaces. Data sent to this socket is passed directly to the pickle.loads() function, which deserializes a Python object without any validation or authentication of the sender. An attacker can craft a malicious pickle payload and send it to the open socket, forcing arbitrary code execution in the context of the SGLang process.
An attacker gains the ability to remotely execute arbitrary code (RCE) on the server without requiring any privileges or user interaction, which can lead to complete system takeover, data theft, and violation of confidentiality, integrity, and availability.
Apply patches available from the vendor according to the references. Until updates are applied, it is recommended to restrict access to the ROUTER socket using a firewall or network rules so that the port is not accessible from untrusted networks or the public internet. SGLang should not be exposed directly to the internet without an authentication layer.
Lmsys SGLang product — versions indicated in the vendor references; the multimodal generation runtime scheduler component with default ROUTER socket configuration is vulnerable.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLmsys Sglang
APPLmsys0.5.10
Related vulnerabilities
SGLang: path traversal umożliwiający zapis dowolnych plików bez uwierzytelnienia
RCE przez niebezpieczną deserializację w SGLang (dill.loads)
SGLang: RCE przez niezabezpieczony silnik Jinja2 w endpoincie reranking
RCE w SGLang przez deserializację pickle bez uwierzytelnienia (ZMQ broker)
SGLang: nieuwierzytelnione RCE przez deserializację pickle w module disaggregation