SGL Project SGLang HuggingFace Transformer Handler Remote Deserialization Vulnerability

Vulnerability

A remote deserialization vulnerability has been identified in SGL Project SGLang versions through 0.5.9. The issue arises in the HuggingFace Transformer Handler, specifically within the get_tokenizer function of the file python/sglang/srt/utils/hf_transformers_utils.py. This vulnerability allows for manipulation that could be exploited, although it is considered to have a high complexity level, making exploitation difficult.

Impact

Exploitation of this vulnerability leads to unauthorized deserialization, which could potentially be used to execute arbitrary code or manipulate application behavior.

Added: May 2, 2026, 10:17 PM

Updated: May 2, 2026, 10:17 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.8

remediation

0.0

relevance

6.9

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.8

remediation

0.0

relevance

6.9

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SGL Project SGLang HuggingFace Transformer Handler Remote Deserialization Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating