SGLang Disaggregation Module Unauthenticated Remote Code Execution Vulnerability

A vulnerability in the disaggregation encoder receiver of the SGLang framework allows for unauthenticated remote code execution. This issue arises because the disaggregation module deserializes untrusted data using Python's pickle module, without any authentication or validation. The vulnerability is present in all versions of SGLang that include the disaggregation module.

Impact

Exploitation of this vulnerability leads to full arbitrary code execution on the server where SGLang is running, with the same privileges as the SGLang process.

Reproduction

To reproduce this vulnerability, first upload a malicious pickle file to a directory that the SGLang server will read from, or use social engineering to have an operator load it. Then, run the SGLang server with the disaggregation module enabled, ensuring that the ZMQ broker is exposed to the network. The broker will deserialize the malicious pickle file without any authentication, executing the embedded code.

Remediation

As an immediate step, ensure that the ZMQ broker port is not exposed to untrusted networks. If the disaggregation features are not needed, disable them. For a long-term solution, SGLang's codebase should be audited to replace all instances of unsafe pickle deserialization with safe alternatives.