sglang 0.5.10.post1

Direct Vulnerabilities

Known vulnerabilities in the sglang package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Arbitrary Code Injection sglang is a SGLang is a fast serving framework for large language models and vision language models. Affected versions of this package are vulnerable to Arbitrary Code Injection via the `reranking` endpoint when a model file containing a malicious `tokenizer.chat_template` is loaded, due to rendering Jinja2 chat templates using an unsandboxed `jinja2.Environment`. An attacker can execute arbitrary code by supplying a crafted model file with a malicious template. How to fix Arbitrary Code Injection? There is no fixed version for `sglang`.	[0,)
C Deserialization of Untrusted Data sglang is a SGLang is a fast serving framework for large language models and vision language models. Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the use of the `pickle.loads` function. An attacker can execute arbitrary code by sending malicious serialized payloads to the exposed ZMQ REP socket, as received data is deserialized without authentication, message validation, or transport protection. This allows malicious pickle payloads to be executed immediately upon deserialization. How to fix Deserialization of Untrusted Data? There is no fixed version for `sglang`.	[0.5.5,)
C Deserialization of Untrusted Data sglang is a SGLang is a fast serving framework for large language models and vision language models. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `encode_receiver.py` message handling logic in the encoder parallel disaggregation system. An attacker can execute arbitrary code by sending crafted payloads to the ZMQ socket when the `encoder_transfer_backend` `zmq_to_scheduler` option is enabled. The receiver binds to `tcp://*` and directly passes received data to `pickle.loads()` without authentication or validation, allowing malicious serialized objects to be deserialized and executed. How to fix Deserialization of Untrusted Data? There is no fixed version for `sglang`.	[0,)

Vulnerability

Vulnerable Version

Arbitrary Code Injection

sglang is a SGLang is a fast serving framework for large language models and vision language models.

Affected versions of this package are vulnerable to Arbitrary Code Injection via the reranking endpoint when a model file containing a malicious tokenizer.chat_template is loaded, due to rendering Jinja2 chat templates using an unsandboxed jinja2.Environment. An attacker can execute arbitrary code by supplying a crafted model file with a malicious template.

How to fix Arbitrary Code Injection?

There is no fixed version for sglang.

[0,)

Deserialization of Untrusted Data

sglang is a SGLang is a fast serving framework for large language models and vision language models.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the use of the pickle.loads function. An attacker can execute arbitrary code by sending malicious serialized payloads to the exposed ZMQ REP socket, as received data is deserialized without authentication, message validation, or transport protection. This allows malicious pickle payloads to be executed immediately upon deserialization.

How to fix Deserialization of Untrusted Data?

There is no fixed version for sglang.

[0.5.5,)

Deserialization of Untrusted Data

sglang is a SGLang is a fast serving framework for large language models and vision language models.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the encode_receiver.py message handling logic in the encoder parallel disaggregation system. An attacker can execute arbitrary code by sending crafted payloads to the ZMQ socket when the encoder_transfer_backend zmq_to_scheduler option is enabled. The receiver binds to tcp://* and directly passes received data to pickle.loads() without authentication or validation, allowing malicious serialized objects to be deserialized and executed.

How to fix Deserialization of Untrusted Data?

There is no fixed version for sglang.

[0,)

sglang@0.5.10.post1

SGLang is a fast serving framework for large language models and vision language models.

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically