VU#665416: SGLang (sglang) is ... Note

VU#665416: SGLang (sglang) is vulnerable to code execution attacks via unsafe pickle deserialization

SGLang, a serving framework for LLMs and multimodal models, has critical pickle deserialization vulnerabilities. Two vulnerabilities, CVE-2026-3059 and CVE-2026-3060, reside in the multimodal generation and encoder parallel disaggregation modules respectively. These flaws allow attackers to execute arbitrary code by sending malicious pickle files to the ZMQ broker. CVE-2026-3989 affects the replay_request_dump.py script, enabling code execution when handling malicious pickle files. The root cause across the vulnerabilities is the use of pickle.loads() to deserialize untrusted data without proper validation. This insecure deserialization can lead to remote code execution due to pickle's execution capabilities. Attackers could gain control of the SGLang service, potentially leading to system compromise. Users should restrict network access to SGLang interfaces to mitigate these risks. The use of alternatives to pickle, like JSON or msgpack, is strongly advised to prevent similar vulnerabilities. This document serves to highlight the risks associated with improper pickle usage. A proposed patch was submitted with no observed response from the maintainers during publication.