إرسال #799263: sgl-project sglang <=0.5.9 Protection Mechanism Failureالمعلومات

عنوان	sgl-project sglang <=0.5.9 Protection Mechanism Failure
الوصف	SGLang (https://github.com/sgl-project/sglang) silently overrides `trust_remote_code=False` and retries tokenizer loading with `trust_remote_code=True` when HuggingFace Transformers v5 returns a `TokenizersBackend` object. This allows a malicious model to execute arbitrary Python code during tokenizer initialization, even when the operator explicitly disabled remote code execution. The override happens with zero logging. This allows a malicious model to execute arbitrary Python code during tokenizer loading, even when the operator explicitly disabled remote code execution. The override happens with zero logging. Reproduction: 1. Create a model directory with config.json (model_type "gpt2"), tokenizer_config.json (custom tokenizer_class + auto_map pointing to tokenizer.py), tokenizer.json (valid BPE), and tokenizer.py (payload). 2. Call sglang's get_tokenizer(model_path, trust_remote_code=False). 3. tokenizer.py executes despite trust_remote_code=False. Calling AutoTokenizer.from_pretrained() directly with the same model and trust_remote_code=False does NOT execute the payload. Only sglang's get_tokenizer triggers it due to the silent retry at lines 898-909. Impact: CVSS 3.1: `AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H` = 9.8 Critical Arbitrary code execution as the SGLang process user. In SGLang's official Docker image (lmsysorg/sglang:latest), the process runs as root. Confirmed post-exploitation capabilities include backdooring sglang source code (persistence across restarts), poisoning other cached models (lateral spread), outbound network connections (data exfiltration of HF_TOKEN, prompts, model weights), and installing arbitrary pip packages (supply chain). SGLang powers 400,000+ GPUs worldwide across xAI, Azure, AMD, NVIDIA, verl, LLaMA-Factory, and LMSYS Chatbot Arena. CVSS 9.8 Critical. S:C: `trust_remote_code=False` is an explicit security boundary. The user sets it to prevent code execution from untrusted models. SGLang silently overrides it, executing code in a context the user explicitly prohibited. A working end-to-end Dockerized PoC with control tests and version matrix is available upon request. References: - SGLang repository: https://github.com/sgl-project/sglang - Vulnerable code: `python/sglang/srt/utils/hf_transformers_utils.py:898-909` - HuggingFace `trust_remote_code` docs: https://huggingface.co/docs/transformers/main/en/model_doc/auto#from-pretrained - Prior SGLang CVEs: CVE-2025-10164, CVE-2026-3059, CVE-2026-3060
المستخدم	ngould (UID 97186)
ارسال	08/04/2026 01:44 AM (2 أشهر منذ)
الاعتدال	02/05/2026 10:00 AM (24 days later)
الحالة	تمت الموافقة
إدخال VulDB	360817 [sgl-project SGLang حتى 0.5.9 HuggingFace Transformer hf_transformers_utils.py get_tokenizer trust_remote_code تجاوز الصلاحيات]
النقاط	17

التالي ▸نظرة عامة ◂ السابق

Want to stay up to date on a daily basis?

Enable the mail alert feature now!