Technical description
SGLang, one of the most widely deployed open-source LLM inference servers (used for DeepSeek-R1, GLM-4, and other popular models), deserialises attacker-controlled bytes via dill.loads() when the --enable-custom-logit-processor feature flag is set. Because dill executes the __reduce__ method of every object during deserialisation, a single HTTP POST to the /generate endpoint containing a crafted sampling_params.custom_logit_processor field triggers arbitrary OS command execution inside the GPU inference worker before a single token is sampled. No authentication is required. The official deployment guides for DeepSeek-R1 on Docker, SkyPilot, and AWS SageMaker recommend --host 0.0.0.0 and the feature flag, making many production instances directly internet-exposed.
Attack vector
Attacker sends one HTTP POST to /generate (or the OpenAI-compatible /v1/completions endpoint) with hex-encoded dill payload in sampling_params.custom_logit_processor. The payload fires on deserialization before any prompt processing; no authentication, no rate limit, and no prior access to the system is required on a default internet-facing deployment.
Affected systems
SGLang inference servers started with --enable-custom-logit-processor. Particularly at risk: production DeepSeek-R1 and GLM-4 deployments following official documentation; research clusters and cloud GPU instances exposed on all interfaces as recommended by Docker compose examples. Attacker gains privileges of the inference worker process (often root in containers).
Mitigation
Disable --enable-custom-logit-processor unless strictly required. If required: restrict the /generate endpoint behind authentication and network controls so only trusted callers can reach it; replace dill deserialisation with an allow-listed, signature-verified, length-limited processor loading mechanism. Audit all SGLang deployments for internet exposure on port 30000.