HIGH 7.3
PYSEC-2026-1919
SGLang Remote Code Execution Vulnerability via Unsafe Deserialization in update_weights_from_tensor
상세
A security flaw has been discovered in lmsys sglang 0.4.6. Affected by this vulnerability is the function main of the file /update_weights_from_tensor. The manipulation of the argument serialized_named_tensors results in deserialization. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://nvd.nist.gov/vuln/detail/CVE-2025-10164 [ADVISORY]
- https://github.com/sgl-project/sglang/commit/49afb3d9d9deedf6dea3a6dd5c50e85e7d8bcb07 [WEB]
- https://github.com/sgl-project/sglang [PACKAGE]
- https://vuldb.com/?ctiid.323203 [WEB]
- https://vuldb.com/?id.323203 [WEB]
- https://vuldb.com/?submit.635919 [WEB]
- https://pypi.org/project/sglang [PACKAGE]
- https://github.com/advisories/GHSA-9w53-xr52-mwgj [ADVISORY]