CVE-2025-10164
⚠️ highSummary
A security flaw has been discovered in lmsys sglang 0.4.6. Affected by this vulnerability is the function main of the file /update_weights_from_tensor. The manipulation of the argument serialized_named_tensors results in deserialization. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
7.3
High
EPSS Score
0.0
Exploit Probability
Published Date
2025-09-09
First Seen: 2026-01-05
📊 Relative Risk Intelligence
This CVE is Moderate Risk - more severe than 55.6% of all 321,566 vulnerabilities in our database.
#142,887
Above average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: Sep 10, 2025
🔍 Exploitation Status
Poc
Proof-of-concept available
⚙️ Automatable
YES
Can be exploited automatically
💥 Technical Impact
Partial
Limited system impact
🏆 Discovered By
hl4x7eq28 (VulDB User) (reporter)
SSVC data provided by
CISA
Last Modified
2025-09-11
Source
NVD 🔗
CVSS Vector 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSS Vector 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X