PyPI: sglang
CVE-2025-10164
Safety vulnerability ID: SFTY-20250909-95616
Safety legacy ID: pyup.io-81122
Affected versions of the sglang package are vulnerable to Deserialization of Untrusted Data due to unsafe deserialization of the user-controlled serialized_named_tensors argument in the update_weights_from_tensor main routine. The /update_weights_from_tensor main function accepts a serialized_named_tensors payload and deserialises it without validation or sandboxing, allowing attacker-supplied objects to be instantiated during the weight-update path.
Overview
SGLang Remote Code Execution Vulnerability via Unsafe Deserialization in update_weights_from_tensor
Advisory
Affected versions of the sglang package are vulnerable to Deserialization of Untrusted Data due to unsafe deserialization of the user-controlled serialized_named_tensors argument in the update_weights_from_tensor main routine. The /update_weights_from_tensor main function accepts a serialized_named_tensors payload and deserialises it without validation or sandboxing, allowing attacker-supplied objects to be instantiated during the weight-update path.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20250909-95616/CVE-2025-10164
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10164
- https://github.com/advisories/GHSA-9w53-xr52-mwgj
- https://github.com/sgl-project/sglang/commit/49afb3d9d9deedf6dea3a6dd5c50e85e7d8bcb07
- https://nvd.nist.gov/vuln/detail/CVE-2025-10164
- https://vuldb.com/?ctiid.323203
- https://vuldb.com/?id.323203
- https://vuldb.com/?submit.635919
- https://github.com/sgl-project/sglang/commit/49afb3d9d9deedf6dea3a6dd5c50e85e7d8bcb07
- https://github.com/advisories/GHSA-9w53-xr52-mwgj
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more