SGLang' encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module, which deserializes untr…

SGLang's encoder parallel disaggregation system contains a critical vulnerability that allows unauthenticated remote code execution. The vulnerability exists in the disaggregation module which uses pickle.loads() to deserialize untrusted data without proper authentication. This creates a significant security risk as attackers can potentially execute arbitrary code on affected systems. The vulnerability affects the encoder receiver component of the SGLang framework. The issue has been documented and analyzed by security researchers at Orca Security.