CVE-2025-10164 is a deserialization vulnerability identified in version 0.4.6 of the lmsys sglang software, specifically within the function 'main' of the file '/update_weights_from_tensor'. The vulnerability arises from improper handling of the 'serialized_named_tensors' argument, which is deserialized without adequate validation or sanitization. This flaw allows an attacker to craft malicious serialized data that, when processed by the vulnerable function, can lead to arbitrary code execution or other malicious outcomes. The attack vector is remote and does not require any authentication or user interaction, increasing the risk of exploitation. Although the vendor was notified early, there has been no response or patch released to date. The CVSS 4.0 base score is 6.9, indicating a medium severity level, with an exploitability rating of low complexity and no privileges or user interaction required. The vulnerability impacts confidentiality, integrity, and availability to a limited extent, as indicated by the CVSS vector. No known exploits are currently observed in the wild, but public exploit code has been released, raising the likelihood of future attacks. The lack of vendor response and patch availability increases the urgency for organizations to implement mitigations proactively.

For European organizations, this vulnerability poses a significant risk, especially for those utilizing lmsys sglang 0.4.6 in their machine learning workflows or tensor processing pipelines. Successful exploitation could lead to unauthorized remote code execution, potentially allowing attackers to compromise sensitive data, disrupt operations, or pivot within internal networks. Given the remote and unauthenticated nature of the exploit, attackers could target exposed services or APIs that process serialized tensor data. This could impact sectors relying on AI/ML infrastructure, including finance, healthcare, manufacturing, and research institutions across Europe. The medium severity rating suggests that while the impact is not catastrophic, it is substantial enough to warrant immediate attention. The absence of vendor patches means organizations must rely on compensating controls to prevent exploitation. Additionally, the public availability of exploit code increases the risk of opportunistic attacks, making timely mitigation critical to protect European digital assets and maintain compliance with data protection regulations such as GDPR.

Given the absence of an official patch, European organizations should implement the following specific mitigations: 1) Restrict network access to services handling serialized_named_tensors to trusted internal networks or VPNs, minimizing exposure to untrusted external sources. 2) Employ strict input validation and sanitization at the application layer to detect and reject malformed or unexpected serialized data before deserialization. 3) Utilize runtime application self-protection (RASP) or web application firewalls (WAFs) with custom rules to monitor and block suspicious deserialization patterns or anomalous payloads targeting the vulnerable function. 4) Isolate the vulnerable component within a sandboxed environment or container to limit the blast radius of a potential compromise. 5) Monitor logs and network traffic for indicators of exploitation attempts, including unusual deserialization activity or remote code execution indicators. 6) Plan and prioritize upgrading to a patched version once available or consider alternative software solutions without this vulnerability. 7) Conduct regular security assessments and penetration tests focusing on deserialization attack vectors to validate the effectiveness of implemented controls.