This vulnerability arises in the get_tokenizer function of sgl-project SGLang (up to version 0.5.9) within the file python/sglang/srt/utils/hf_transformers_utils.py. When a caller sets trust_remote_code=False to prevent execution of remote code, the function silently overrides this to True upon re-invoking AutoTokenizer.from_pretrained if HuggingFace transformers v5 returns a TokenizersBackend instance. This behavior enables a malicious model repository containing a crafted tokenizer.py referenced via auto_map in tokenizer_config.json to execute arbitrary Python code within the SGLang process. Both tokenizer_mode="auto" and "slow" are affected. The vulnerability is present in all current SGLang versions due to the pinned transformers==5.3.0 dependency. The exploit is public, but no official fix or patch has been released.

Successful exploitation allows remote attackers to execute arbitrary Python code within the SGLang process by supplying a malicious tokenizer model repository. This could lead to unauthorized code execution with the privileges of the SGLang application. The attack complexity is high and exploitability is difficult. No user interaction is required, and no logs or warnings are generated during exploitation. The vulnerability affects all versions up to 0.5.9 due to the pinned transformers dependency. There is no indication of known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vendor has not responded to disclosure and no official fix or patch is available. Until a patch is released, users should avoid using untrusted or remote tokenizer models with SGLang, especially when relying on the trust_remote_code setting. Monitoring for updates from the vendor or community is recommended to apply any forthcoming fixes.