SGLang Multimodal Generation Runtime Remote Code Execution Vulnerability

A remote code execution vulnerability exists in the SGLang multimodal generation runtime scheduler. The issue arises because the ROUTER socket binds to all network interfaces by default and processes incoming messages with pickle.loads(), allowing for remote code execution when the socket is exposed to the internet. This vulnerability affects SGLang versions 0.5.5 and later, specifically when the multimodal runtime is enabled and the scheduler socket is reachable on all interfaces.

Impact

Exploitation of this vulnerability allows for remote code execution on the server hosting the SGLang runtime.

Reproduction

To reproduce this vulnerability, deploy the SGLang multimodal generation runtime with the default '0.0.0.0' host setting, which exposes the scheduler socket on all network interfaces. Once the server is running, send a crafted pickle payload to the ROUTER socket that triggers the execution of arbitrary code. This can be done using a ZeroMQ client that connects to the exposed socket and sends the malicious payload.