CVE-2025-10164 Overview
A security flaw has been discovered in lmsys SGLang version 0.4.6. This vulnerability affects the main function of the file /update_weights_from_tensor. The manipulation of the argument serialized_named_tensors results in insecure deserialization, allowing attackers to potentially execute malicious code or manipulate application behavior. The attack can be launched remotely without authentication. The exploit has been released to the public and may be actively exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Critical Impact
Remote attackers can exploit insecure deserialization in SGLang's tensor weight update functionality to potentially execute arbitrary code or compromise system integrity without authentication.
Affected Products
- lmsys SGLang 0.4.6
Discovery Timeline
- 2025-09-09 - CVE CVE-2025-10164 published to NVD
- 2025-09-11 - Last updated in NVD database
Technical Details for CVE-2025-10164
Vulnerability Analysis
This vulnerability stems from insecure deserialization practices within the SGLang framework's weight update mechanism. The /update_weights_from_tensor endpoint accepts serialized tensor data through the serialized_named_tensors parameter without proper validation or sanitization. When untrusted serialized data is deserialized, an attacker can craft malicious payloads that execute arbitrary operations during the deserialization process.
The vulnerability is classified under CWE-20 (Improper Input Validation), indicating that the application fails to properly validate input before processing. In the context of machine learning frameworks like SGLang, tensor serialization is commonly used for model weight updates and distributed training operations, making this a particularly sensitive attack surface.
Root Cause
The root cause of this vulnerability lies in the improper handling of serialized tensor data in the main function of the /update_weights_from_tensor endpoint. The application deserializes the serialized_named_tensors argument without implementing adequate security controls such as:
- Input validation before deserialization
- Type checking of deserialized objects
- Allowlisting of permitted classes during deserialization
- Signature verification of serialized payloads
This allows attackers to inject malicious objects that execute code when deserialized by the application.
Attack Vector
The attack can be launched remotely over the network. An attacker does not require authentication to exploit this vulnerability. The exploitation flow involves:
- Crafting a malicious serialized payload containing harmful objects
- Sending the payload to the /update_weights_from_tensor endpoint via the serialized_named_tensors parameter
- The application deserializes the payload without proper validation
- Malicious code embedded in the serialized object executes during deserialization
The vulnerability has been publicly disclosed, and exploit details are available. For technical details regarding the exploitation mechanism, refer to the VulDB advisory.
Detection Methods for CVE-2025-10164
Indicators of Compromise
- Unexpected HTTP requests to the /update_weights_from_tensor endpoint from external or unauthorized sources
- Unusual process spawning or child process creation originating from the SGLang application
- Anomalous network connections initiated by the SGLang process following tensor update requests
- Suspicious serialized data patterns in application logs or network traffic
Detection Strategies
- Monitor HTTP traffic for requests targeting the /update_weights_from_tensor endpoint, especially from untrusted networks
- Implement application-level logging to capture all deserialization operations and their source
- Deploy network intrusion detection systems (IDS) with signatures for known deserialization attack patterns
- Use endpoint detection and response (EDR) solutions like SentinelOne to detect post-exploitation behaviors
Monitoring Recommendations
- Enable verbose logging for the SGLang application to capture request details and parameter values
- Set up alerts for any access to the /update_weights_from_tensor endpoint from non-whitelisted IP addresses
- Monitor system calls and process behavior for the SGLang application to detect code execution attempts
- Review authentication logs for any unauthorized access attempts to model update functionalities
How to Mitigate CVE-2025-10164
Immediate Actions Required
- Restrict network access to the /update_weights_from_tensor endpoint using firewall rules or network segmentation
- Implement authentication and authorization controls for all model weight update operations
- If not actively using the weight update functionality, consider disabling or removing the /update_weights_from_tensor endpoint
- Monitor for exploitation attempts and review logs for any suspicious activity
Patch Information
At the time of publication, the vendor (lmsys) has not responded to disclosure communications and no official patch is available. Organizations using SGLang 0.4.6 should implement the recommended workarounds and monitor for vendor updates. Check the VulDB advisory for the latest status on vendor response and patches.
Workarounds
- Deploy a web application firewall (WAF) or reverse proxy to filter and validate requests to vulnerable endpoints
- Implement network-level access controls to restrict access to the SGLang service from trusted sources only
- Use containerization or sandboxing to limit the impact of potential exploitation
- Consider upgrading to a newer version of SGLang if one becomes available with security fixes
# Example: Restrict access to the vulnerable endpoint using iptables
# Allow only trusted internal network (adjust as needed)
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
