प्लेटफ़ॉर्म
python
घटक
sglang
में ठीक किया गया
0.5.11
0.5.10
CVE-2026-3989 describes an Insecure Deserialization vulnerability found in SGLangs, specifically within the replayrequestdump.py script. This flaw allows an attacker to execute arbitrary code on the system by providing a crafted malicious .pkl file. The vulnerability impacts SGLangs versions 0.5.9 and earlier, and a fix is available in version 0.5.10.
The primary impact of CVE-2026-3989 is remote code execution (RCE). An attacker can craft a malicious pickle file that, when loaded by the vulnerable script, will execute arbitrary commands on the target system. This could lead to complete system compromise, including data theft, malware installation, and denial of service. The scope of the impact depends on the privileges of the user running the replayrequestdump.py script. If run as root or with elevated privileges, the attacker gains significant control over the system. This vulnerability shares similarities with other insecure deserialization flaws where untrusted data is directly deserialized without proper validation, potentially leading to arbitrary code execution.
CVE-2026-3989 was publicly disclosed on 2026-03-12. There is no indication of this vulnerability being actively exploited in the wild at this time. The EPSS score is likely to be medium, given the potential for RCE and the relatively straightforward nature of exploiting insecure deserialization vulnerabilities. No public proof-of-concept (POC) code has been released, but the vulnerability is well-understood, and a POC is likely to emerge if the vulnerability remains unpatched.
Systems running SGLangs versions 0.5.9 and earlier, particularly those where the replayrequestdump.py script is used to process data from external or untrusted sources, are at significant risk. Shared hosting environments where multiple users have access to the same SGLangs installation are also particularly vulnerable.
• python / script:
import os
import hashlib
def check_pkl_integrity(filepath):
"""Checks the integrity of a pickle file using SHA256.
Args:
filepath (str): Path to the pickle file.
Returns:
bool: True if the file is valid, False otherwise.
"""
try:
with open(filepath, 'rb') as f:
data = f.read()
sha256_hash = hashlib.sha256(data).hexdigest()
# Replace with expected hash value
expected_hash = 'your_expected_hash_here'
return sha256_hash == expected_hash
except Exception as e:
print(f"Error checking file: {e}")
return False
# Example usage
filepath = 'path/to/your/file.pkl'
if check_pkl_integrity(filepath):
print("File integrity is valid.")
else:
print("File integrity is compromised.")• generic web:
Check for the presence of replayrequestdump.py in publicly accessible directories. Monitor access logs for requests to this script, especially those originating from untrusted sources.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.02% (3% शतमक)
CVSS वेक्टर
The primary mitigation for CVE-2026-3989 is to upgrade SGLangs to version 0.5.10 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds. Strictly validate the source of any .pkl files before processing them with replayrequestdump.py. Avoid loading pickle files from untrusted sources entirely. Consider using alternative serialization formats like JSON or YAML, which are generally safer and less prone to arbitrary code execution vulnerabilities. Implement input validation to ensure that the pickle file conforms to expected structure and content.
Actualice a una versión corregida de SGLang que implemente una validación y deserialización adecuadas para evitar la ejecución de código malicioso a través de archivos pickle. Consulte las notas de la versión para obtener más detalles sobre la corrección.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-3989 is a vulnerability in SGLangs versions ≤0.5.9 that allows an attacker to execute arbitrary code by providing a malicious .pkl file to the replayrequestdump.py script.
You are affected if you are using SGLangs versions 0.5.9 or earlier. Upgrade to version 0.5.10 to resolve the issue.
Upgrade SGLangs to version 0.5.10 or later. As a temporary workaround, strictly validate the source of any .pkl files before processing them.
There is currently no evidence of CVE-2026-3989 being actively exploited in the wild.
Refer to the SGLangs project's official website or repository for the advisory related to CVE-2026-3989.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी requirements.txt फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।