Ngould

**Name of the Vulnerable Software and Affected Versions** sgl-project SGLang versions prior to 0.6.0 **Description** A code injection issue exists in the HuggingFace Transformer Handler within the `get tokenizer()` function of the `python/sglang/srt/utils/hf transformers utils.py` file. When a caller sets the `trust remote code` variable to `False`, SGLang may silently re-invoke `AutoTokenizer.from pretrained` with `trust remote code` set to `True` if HuggingFace transformers v5 returns a TokenizersBackend instance. This overrides the security setting and allows a model repository containing a malicious `tokenizer.py` referenced via `auto map` in `tokenizer config.json` to execute arbitrary Python code in the SGLang process. This affects both `tokenizer mode="auto"` and `tokenizer mode="slow"`. The attack can be executed remotely, although it is characterized by high complexity and difficult exploitability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict the use of the `get tokenizer()` function or avoid loading tokenizers from untrusted model repositories.