CVE-2025-10164
📋 TL;DR
CVE-2025-10164 is a remote code execution vulnerability in lmsys sglang 0.4.6 caused by unsafe deserialization in the update_weights_from_tensor function. Attackers can exploit this by sending malicious serialized data to execute arbitrary code on affected systems. Organizations using sglang 0.4.6 for machine learning workloads are affected.
💻 Affected Systems
- lmsys sglang
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary code, steal sensitive data, install persistent backdoors, or pivot to other systems in the network.
Likely Case
Remote code execution leading to data exfiltration, cryptocurrency mining, or deployment of ransomware on vulnerable systems.
If Mitigated
Limited impact through network segmentation and proper input validation, potentially resulting in denial of service but preventing full system compromise.
🎯 Exploit Status
Exploit code is publicly available and requires no authentication. Attackers can trigger the vulnerability by sending specially crafted serialized data to the vulnerable function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: Yes
Instructions:
1. Monitor vendor channels for security updates. 2. Upgrade to a patched version when available. 3. Restart sglang services after patching.
🔧 Temporary Workarounds
Network Isolation
linuxRestrict network access to sglang services to trusted sources only
iptables -A INPUT -p tcp --dport [sglang_port] -s [trusted_ip] -j ACCEPT
iptables -A INPUT -p tcp --dport [sglang_port] -j DROP
Input Validation
allImplement strict input validation for serialized data before processing
🧯 If You Can't Patch
- Isolate vulnerable systems in a dedicated network segment with strict egress filtering
- Implement application-level firewalls to monitor and block suspicious serialization patterns
🔍 How to Verify
Check if Vulnerable:
Check sglang version: pip show sglang | grep Version. If version is 0.4.6, system is vulnerable.Check Version:
pip show sglang | grep VersionVerify Fix Applied:
After patching, verify version is no longer 0.4.6 and test with safe serialization payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual serialization errors in sglang logs
- Multiple failed deserialization attempts
- Unexpected process spawns from sglang
Network Indicators:
- Unusual network connections from sglang processes
- Large serialized data payloads to sglang ports
- Traffic patterns matching known exploit signatures
SIEM Query:
source="sglang.log" AND ("deserialization error" OR "update_weights_from_tensor" AND error)