Vulnerability DatabaseCVE-2025-10164
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-10164
Published:September 09, 2025
Updated:May 17, 2026
A security flaw has been discovered in lmsys sglang 0.4.6. Affected by this vulnerability is the function main of the file /update_weights_from_tensor. The manipulation of the argument serialized_named_tensors results in deserialization. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Affected Packages
sglang (PYTHON):
Affected version(s) >=0.1.0 <0.5.4
Fix Suggestion:
Update to version 0.5.4
sglang (PYTHON):
Affected version(s) >=0.1.0 <=0.4.6
Fix Suggestion:
Update to version no_fix
Related Resources (6)
https://github.com/sgl-project/sglang
https://github.com/sgl-project/sglang/commit/49afb3d9d9deedf6dea3a6dd5c50e85e7d8bcb07
https://vuldb.com/?id.323203
https://vuldb.com/?submit.635919
https://vuldb.com/?ctiid.323203
https://nvd.nist.gov/vuln/detail/CVE-2025-10164
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.5
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
Exploit Maturity
POC
CVSS v3
Base Score:
7.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW
Exploit Maturity
PROOF-OF-CONCEPT
Weakness Type (CWE)
Deserialization of Untrusted Data
CWE-502
Improper Input Validation
CWE-20
EPSS
Base Score:
0.09