| Название | sgl-project sglang <=0.5.9 Protection Mechanism Failure |
|---|
| Описание | SGLang (https://github.com/sgl-project/sglang) silently overrides `trust_remote_code=False` and retries tokenizer loading with `trust_remote_code=True` when HuggingFace Transformers v5 returns a `TokenizersBackend` object. This allows a malicious model to execute arbitrary Python code during tokenizer initialization, even when the operator explicitly disabled remote code execution. The override happens with zero logging. This allows a malicious model to execute arbitrary Python code during tokenizer loading, even when the operator explicitly disabled remote code execution. The override happens with zero logging.
Reproduction:
1. Create a model directory with config.json (model_type "gpt2"), tokenizer_config.json (custom tokenizer_class + auto_map pointing to tokenizer.py), tokenizer.json (valid BPE), and tokenizer.py (payload).
2. Call sglang's get_tokenizer(model_path, trust_remote_code=False).
3. tokenizer.py executes despite trust_remote_code=False.
Calling AutoTokenizer.from_pretrained() directly with the same model and trust_remote_code=False does NOT execute the payload. Only sglang's get_tokenizer triggers it due to the silent retry at lines 898-909.
Impact:
CVSS 3.1: `AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H` = 9.8 Critical
Arbitrary code execution as the SGLang process user. In SGLang's official Docker image (lmsysorg/sglang:latest), the process runs as root. Confirmed post-exploitation capabilities include backdooring sglang source code (persistence across restarts), poisoning other cached models (lateral spread), outbound network connections (data exfiltration of HF_TOKEN, prompts, model weights), and installing arbitrary pip packages (supply chain). SGLang powers 400,000+ GPUs worldwide across xAI, Azure, AMD, NVIDIA, verl, LLaMA-Factory, and LMSYS Chatbot Arena. CVSS 9.8 Critical.
S:C: `trust_remote_code=False` is an explicit security boundary. The user sets it to prevent code execution from untrusted models. SGLang silently overrides it, executing code in a context the user explicitly prohibited.
A working end-to-end Dockerized PoC with control tests and version matrix is available upon request.
References:
- SGLang repository: https://github.com/sgl-project/sglang
- Vulnerable code: `python/sglang/srt/utils/hf_transformers_utils.py:898-909`
- HuggingFace `trust_remote_code` docs: https://huggingface.co/docs/transformers/main/en/model_doc/auto#from-pretrained
- Prior SGLang CVEs: CVE-2025-10164, CVE-2026-3059, CVE-2026-3060
|
|---|
| Пользователь | ngould (UID 97186) |
|---|
| Представление | 08.04.2026 01:44 (2 месяцы назад) |
|---|
| Модерация | 02.05.2026 10:00 (24 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 360817 [sgl-project SGLang до 0.5.9 HuggingFace Transformer hf_transformers_utils.py get_tokenizer trust_remote_code эскалация привилегий] |
|---|
| Баллы | 17 |
|---|