SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.chat_template is loaded, as the …

SGLang's reranking endpoint (/v1/rerank) contains a Remote Code Execution vulnerability when processing malicious model files. The vulnerability occurs when a model file contains a malicious tokenizer.chat_template that gets processed through an unsandboxed Jinja2 environment. This allows attackers to achieve RCE by crafting malicious Jinja2 templates that are rendered without proper sandboxing controls. The vulnerability affects SGLang version 0.5.9 and potentially other versions. Proof of concept code and detailed vulnerability information are available through public repositories.