SGLang Remote Code Execution Vulnerability in Multimodal Generation ZMQ Broker

A remote code execution vulnerability has been identified in SGLang's multimodal generation module, specifically within the ZMQ broker component. This vulnerability arises from the broker's deserialization of untrusted data using Python's pickle module, without any authentication or validation. The issue allows for unauthenticated remote code execution on the server where SGLang is running.

Impact

Exploitation of this vulnerability leads to full arbitrary code execution on the server, with the executed code running in the context of the SGLang process.

Reproduction

To reproduce this vulnerability, first launch an SGLang server with the multimodal generation feature enabled. The server will automatically start a ZMQ broker that listens on all network interfaces. Once the broker is running, an attacker can send a pickle payload containing a malicious 'reduce' method through a ZMQ socket. The broker will deserialize the payload using 'pickle.loads()', executing the embedded code and resulting in remote code execution.

Remediation

SGLang users can manually apply a patch that binds the ZMQ broker to localhost by default and replaces pickle serialization with msgpack, while allowing pickle as a fallback. This vulnerability can also be mitigated by ensuring that ZMQ broker ports are not exposed to untrusted networks and by reviewing deployment flags to avoid using the multimodal generation feature.