High severity7.3GHSA Advisory· Published Sep 9, 2025· Updated Apr 29, 2026

CVE-2025-10164

Description

A security flaw has been discovered in lmsys sglang 0.4.6. Affected by this vulnerability is the function main of the file /update_weights_from_tensor. The manipulation of the argument serialized_named_tensors results in deserialization. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
sglangPyPI	< 0.5.4	0.5.4

Affected products

Sgl Project/SglangGHSA
Range: <= 0.5.3

Patches

49afb3d9d9de

Fix(security): block unsafe pickle deserialization to mitigate CVE-2025-10164 (#11909)

https://github.com/sgl-project/sglangthelongestusernameofallOct 24, 2025via ghsa

commit

3 files changed · +81 −1

docs/index.rst+6 −0 modified

@@ -98,3 +98,9 @@ Its core features include:
    references/custom_chat_template.md
    references/frontend/frontend_index.rst
    references/learn_more.md
+
+.. toctree::
+   :maxdepth: 1
+   :caption: Security Acknowledgement
+
+   security/acknowledgements.md

docs/security/acknowledgements.md+3 −0 added

@@ -0,0 +1,3 @@
+| Time       | CVE ID       | Credit to        | Affected Versions         | Severity   | Impact               | Description |
+|------------|--------------|------------------|---------------------------|------------|----------------------|-------------|
+| 2025-09-09 | CVE-2025-10164 | Simon Huang, pjf | ≥ 0.4.6 & ≤ 0.5.3          | Critical   | Remote Code Execution | A security flaw exists in lmsys sglang versions ≥ 0.4.6 and ≤ 0.5.3. The vulnerability arises from the use of unsafe pickle deserialization of the `serialized_named_tensors` parameter in the `/update_weights_from_tensor` API endpoint, which could allow a remote attacker to execute arbitrary code on the server by sending a specially crafted payload. |

python/sglang/srt/utils/common.py+72 −1 modified

@@ -2099,7 +2099,78 @@ def deserialize(data):
             # Decode base64 string to bytes
             data = pybase64.b64decode(data, validate=True)
 
-        return ForkingPickler.loads(data)
+        class SafeUnpickler(pickle.Unpickler):
+            ALLOWED_MODULE_PREFIXES = {
+                # --- Python types ---
+                "builtins.",
+                "collections.",
+                "copyreg.",
+                "functools.",
+                "itertools.",
+                "operator.",
+                "types.",
+                "weakref.",
+                # --- PyTorch types ---
+                "torch.",
+                "torch._tensor.",
+                "torch.storage.",
+                "torch.nn.parameter.",
+                "torch.autograd.function.",
+                # --- torch distributed ---
+                "torch.distributed.",
+                "torch.distributed._shard.",
+                "torch.distributed._composable.",
+                "torch._C._distributed_c10d.",
+                "torch._C._distributed_fsdp.",
+                "torch.distributed.optim.",
+                # --- multiprocessing ---
+                "multiprocessing.resource_sharer.",
+                "multiprocessing.reduction.",
+                "pickletools.",
+                # --- PEFT / LoRA ---
+                "peft.",
+                "transformers.",
+                "huggingface_hub.",
+                # --- SGLang & Unitest ---
+                "sglang.srt.weight_sync.tensor_bucket.",
+                "sglang.srt.model_executor.model_runner.",
+                "sglang.srt.layers.",
+                "sglang.srt.utils.",
+            }
+
+            DENY_CLASSES = {
+                ("builtins", "eval"),
+                ("builtins", "exec"),
+                ("builtins", "compile"),
+                ("os", "system"),
+                ("subprocess", "Popen"),
+                ("subprocess", "run"),
+                ("codecs", "decode"),
+                ("types", "CodeType"),
+                ("types", "FunctionType"),
+            }
+
+            def find_class(self, module, name):
+                # Block deterministic attacks
+                if (module, name) in self.DENY_CLASSES:
+                    raise RuntimeError(
+                        f"Blocked unsafe class loading ({module}.{name}), "
+                        f"to prevent exploitation of CVE-2025-10164"
+                    )
+                # Allowlist of safe-to-load modules.
+                if any(
+                    (module + ".").startswith(prefix)
+                    for prefix in self.ALLOWED_MODULE_PREFIXES
+                ):
+                    return super().find_class(module, name)
+
+                # Block everything else. (Potential attack surface)
+                raise RuntimeError(
+                    f"Blocked unsafe class loading ({module}.{name}), "
+                    f"to prevent exploitation of CVE-2025-10164"
+                )
+
+        return SafeUnpickler(io.BytesIO(data)).load()
 
 
 def debug_timing(func):

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-9w53-xr52-mwgjghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-10164ghsaADVISORY
github.com/sgl-project/sglang/commit/49afb3d9d9deedf6dea3a6dd5c50e85e7d8bcb07ghsaWEB
vuldb.comnvdWEB
vuldb.comnvdWEB
vuldb.comnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000