Platform
python
Component
llamafactory
Fixed in
0.9.5
0.9.4
A critical remote code execution (RCE) vulnerability has been identified within the llamafactory training process, specifically affecting versions up to 0.9.3. This flaw allows attackers to execute arbitrary code on the host system by manipulating the Checkpoint path parameter through the WebUI interface. The exploitation is stealthy, leaving victims unaware of the compromise, and is rooted in the insecure loading of the vheadfile without the weightsonly=True safeguard. A patch is available in version 0.9.4.
The impact of this vulnerability is severe. An attacker can gain complete control over the affected system by injecting malicious code through the Checkpoint path parameter. This could lead to data exfiltration, system compromise, and potential lateral movement within the network. The lack of awareness during exploitation further exacerbates the risk, as the attacker can operate undetected for an extended period. The vulnerability's reliance on the WebUI interface makes it accessible to attackers with minimal interaction, significantly broadening the potential attack surface. The absence of the weightsonly=True parameter during vheadfile loading is the direct cause, allowing arbitrary code execution.
This vulnerability is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge given the ease of exploitation. The CVSS score of 8.3 (HIGH) indicates a significant risk. The vulnerability's stealthy nature and ease of exploitation suggest a potential for active exploitation campaigns, particularly targeting environments utilizing llamafactory for training purposes. The vulnerability was publicly disclosed on 2025-06-27.
Exploit Status
EPSS
1.62% (82% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade to llamafactory version 0.9.4 or later, which addresses the insecure file loading. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the WebUI interface to trusted users only. Implement input validation on the Checkpoint path parameter to prevent malicious input. Monitor system logs for suspicious activity related to file loading and execution. Consider using a Web Application Firewall (WAF) to filter potentially malicious requests. After upgrading, confirm the fix by attempting to load a checkpoint with a deliberately crafted, but harmless, path to verify that the weights_only=True parameter is now enforced.
Actualice LLaMA-Factory a la versión 0.9.4 o superior. Esto corrige la vulnerabilidad de ejecución remota de código al cargar el archivo `vhead_file` con los parámetros de seguridad adecuados. La actualización previene la ejecución de código malicioso a través de la interfaz WebUI.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-53002 is a critical remote code execution vulnerability in llamafactory versions 0.9.3 and earlier. Attackers can execute arbitrary code via a malicious Checkpoint path parameter in the WebUI interface.
You are affected if you are using llamafactory version 0.9.3 or earlier. Upgrade to version 0.9.4 or later to mitigate the risk.
Upgrade to llamafactory version 0.9.4 or later. As a temporary workaround, restrict access to the WebUI and validate input parameters.
While there's no confirmed active exploitation at this time, the vulnerability's ease of exploitation suggests a potential for future attacks.
Refer to the llamafactory project's official repository and release notes for the advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.