lmsys Sglang Deserialization Vulnerability in Update Weights from Tensor Function
Vulnerability
A critical deserialization vulnerability has been identified in lmsys Sglang version 0.4.6. The issue arises in the 'main' function of the '/update_weights_from_tensor' file, where the 'serialized_named_tensors' argument is manipulated, leading to insecure deserialization. This vulnerability can be exploited remotely, allowing an unauthenticated attacker to execute arbitrary code on the affected system or gain a reverse shell, thereby achieving full control over the system.
Impact
Exploitation of this vulnerability allows for remote code execution on the affected system, with the potential to obtain a reverse shell and full control over the system.
Reproduction
The vulnerability can be reproduced by sending a POST request to the '/update_weights_from_tensor' endpoint with a base64-encoded, pickle-serialized payload that, when deserialized, executes arbitrary code. This can be done using a Python script to create the malicious payload, which is then sent via curl or a similar tool.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.