SGLang Replay Request Dump Insecure Pickle Deserialization Vulnerability Allowing Remote Code Execution

A vulnerability exists in the SGLang framework's `replay_request_dump.py` script, which improperly uses `pickle.load()` to deserialize data without validation. This flaw allows an attacker to craft a malicious `.pkl` file that, when loaded by the script, executes arbitrary code on the host machine. The issue arises from the inherent risks of Python's pickle module, which can be exploited to run unauthorized commands by manipulating the deserialization process.

Impact

Exploitation of this vulnerability leads to unauthorized remote code execution on the device running the affected script.

Reproduction

To reproduce this vulnerability, an attacker must create a malicious `.pkl` file containing a payload that, when deserialized, executes code of the attacker's choosing. This file can be placed in a directory where the SGLang application will read it, such as a crash dump folder. Once the file is in place, the operator can run the `replay_request_dump.py` script, which will load the malicious pickle file and execute the embedded code.

Remediation

Users are advised not to run `replay_request_dump.py` on `.pkl` files from untrusted sources or shared directories with weak permissions.