CVE-2025-10164 is a deserialization vulnerability identified in version 0.4.6 of the lmsys sglang software, specifically within the function 'main' of the file '/update_weights_from_tensor'. The vulnerability arises from improper handling of the 'serialized_named_tensors' argument, which is deserialized without sufficient validation or sanitization. This flaw allows an attacker to remotely supply crafted serialized data that, when deserialized by the vulnerable function, can lead to arbitrary code execution or other malicious outcomes. The vulnerability is exploitable remotely without requiring authentication or user interaction, increasing its risk profile. Although the vendor was notified early, there has been no response or patch released to date. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, and no privileges or user interaction needed. The impact on confidentiality, integrity, and availability is rated low individually but collectively significant enough to warrant attention. The exploit code has been publicly released, increasing the likelihood of exploitation, although no confirmed in-the-wild attacks have been reported yet. The vulnerability affects only version 0.4.6 of sglang, so organizations using this specific version are at risk. Deserialization vulnerabilities are particularly dangerous because they can lead to remote code execution, data tampering, or denial of service depending on the deserialized payload and application context. Given the lack of vendor response, organizations must proactively address this issue.

For European organizations, the impact of CVE-2025-10164 can be substantial if they rely on lmsys sglang 0.4.6 in their software stacks, particularly in environments processing serialized tensor data remotely. Successful exploitation could allow attackers to execute arbitrary code remotely, potentially leading to data breaches, system compromise, or service disruption. This could affect confidentiality by exposing sensitive data, integrity by allowing unauthorized data manipulation, and availability by causing crashes or denial of service. Sectors such as research institutions, AI/ML development companies, and technology firms using sglang for tensor operations may be particularly vulnerable. The public availability of exploit code increases the risk of opportunistic attacks, including by cybercriminals or state-sponsored actors targeting European entities. The absence of a vendor patch means organizations must rely on mitigation strategies to reduce exposure. Failure to address this vulnerability could result in regulatory consequences under GDPR if personal data is compromised, as well as reputational damage and operational downtime.

Given the lack of an official patch, European organizations should implement the following specific mitigations: 1) Immediately audit and inventory all deployments of lmsys sglang to identify instances running version 0.4.6. 2) Where possible, upgrade to a later, patched version once available or consider downgrading if earlier versions are not vulnerable. 3) Implement network-level controls to restrict access to the vulnerable '/update_weights_from_tensor' functionality, limiting exposure to trusted networks or IP addresses only. 4) Employ application-layer input validation and filtering to detect and block suspicious serialized payloads before deserialization. 5) Use runtime application self-protection (RASP) or endpoint detection and response (EDR) tools to monitor for anomalous behavior indicative of exploitation attempts. 6) Consider sandboxing or isolating the sglang process to contain potential compromise. 7) Monitor threat intelligence feeds for any emerging exploit activity and update defenses accordingly. 8) Prepare incident response plans specifically addressing potential exploitation of deserialization vulnerabilities. These targeted steps go beyond generic advice by focusing on access restriction, input validation, and monitoring tailored to the vulnerable component and attack vector.