"An attacker exploits this vulnerability by creating a malicious GPT Generated Unified Format (GGUF) model file with a crafted tokenizer.chat_template parameter that contains a Jinja2 server-side template injection (SSTI) payload with a trigger phrase to activate the vulnerable code path."
"The victim then downloads and loads the model in SGLang, and when a request hits the '/v1/rerank' endpoint, the malicious template is rendered, executing the attacker's arbitrary Python code on the server."
"The underlying issue stems from the use of jinja2.Environment() without sandboxing instead of ImmutableSandboxedEnvironment, enabling a malicious model to execute arbitrary Python code on the inference server."
SGLang has a severe security vulnerability, CVE-2026-5760, with a CVSS score of 9.8, enabling remote code execution through command injection. The flaw affects the reranking endpoint '/v1/rerank', allowing attackers to execute arbitrary code by using a specially crafted GGUF model file. The exploitation involves creating a malicious tokenizer.chat_template parameter that triggers a vulnerable code path. The issue arises from using jinja2.Environment() without sandboxing, which permits execution of arbitrary Python code on the server when the model is loaded and a request is made to the endpoint.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]