CVE-2026-3989
Received Received - Intake
Insecure Deserialization in SGLangs replay_request_dump.py Enables RCE

Publication date: 2026-03-12

Last updated on: 2026-04-07

Assigner: CERT/CC

Description
SGLangs `replay_request_dump.py` contains an insecure pickle.load() without validation and proper deserialization. An attacker can take advantage of this by providing a malicious .pkl file, which will execute the attackers code on the device running the script.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3989
EUVD
EUVD-2026-11561
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sgl_project sglang *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the SGLangs script `replay_request_dump.py`, which uses Python's pickle.load() function without validating the input data properly. This insecure deserialization allows an attacker to provide a malicious .pkl file that, when loaded by the script, can execute arbitrary code on the device running it.

Impact Analysis

This vulnerability can lead to remote code execution on the device running the vulnerable script. An attacker who supplies a crafted malicious pickle file can execute arbitrary commands or code, potentially compromising the system, stealing data, or causing denial of service.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves insecure deserialization via the replay_request_dump.py script loading malicious pickle (.pkl) files. Detection can focus on identifying usage or execution of this script with untrusted pickle files.'}, {'type': 'list_item', 'content': 'Monitor for execution of replay_request_dump.py, especially with input files from untrusted sources.'}, {'type': 'list_item', 'content': 'Check for suspicious or unexpected .pkl files being accessed or loaded by the script.'}, {'type': 'list_item', 'content': 'Use system process monitoring commands such as: `ps aux | grep replay_request_dump.py` to detect running instances.'}, {'type': 'list_item', 'content': "Audit file access logs for .pkl files used by the script, e.g., `grep '.pkl' /var/log/audit/audit.log` if auditd is enabled."}, {'type': 'list_item', 'content': 'Network monitoring for unusual HTTP POST requests to the /generate endpoint on the target host and port (default localhost:30000) may indicate replay activity.'}, {'type': 'list_item', 'content': 'If Python is available, a command to check pickle file contents safely (without loading) is limited, but you can inspect pickle files with `strings suspicious.pkl` or `hexdump -C suspicious.pkl` to look for anomalies.'}] [1]

Mitigation Strategies

To mitigate this vulnerability, avoid loading pickle files from untrusted or unauthenticated sources in the replay_request_dump.py script.

  • Do not run replay_request_dump.py with pickle files obtained from untrusted or unknown origins.
  • Restrict access to the replay_request_dump.py script and the directories containing pickle files to trusted users only.
  • Consider implementing validation or sandboxing around the deserialization process to prevent execution of malicious code.
  • Monitor and limit network access to the host and port used by the script (default localhost:30000) to prevent unauthorized replay attempts.
  • If possible, replace usage of pickle files with safer serialization formats or add integrity checks before deserialization.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3989. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart