Ccullen-Cert

**Name of the Vulnerable Software and Affected Versions** SGLang (affected versions not specified) **Description** An issue in the SGLang high-performance LLM serving framework allows remote code execution. The flaw exists in the `serving rerank.py` file, specifically within the `/v1/rerank` endpoint. The system uses an unsandboxed `jinja2.Environment()` to render tokenizer chat templates from model files, such as those in GPT-Generated Unified Format (GGUF). An attacker can craft a malicious GGUF model file containing a Server-Side Template Injection (SSTI) payload in the `tokenizer.chat template` and upload it to a public repository. When a user loads this model and an unauthenticated POST request is sent to the `/v1/rerank` endpoint, the malicious template is rendered, leading to arbitrary Python code execution on the server with the privileges of the SGLang service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. Replace `jinja2.Environment()` with `jinja2.sandbox.ImmutableSandboxedEnvironment()` in all template rendering components. Avoid loading models from untrusted sources. Restrict access to the `/v1/rerank` endpoint to minimize the risk of exploitation.