Scanner gratuitement
HIGHCVE-2025-53002CVSS 8.3

LLaMA-Factory allows Code Injection through improper vhead_file safeguards

traduction en cours…

Plateforme

python

Composant

llamafactory

Corrigé dans

0.9.5

0.9.4

AI Confidence: highNVDEPSS 1.6%Révisé: mai 2026
Voir sur NVD
Sauvegarder
Traduction vers votre langue…

A critical remote code execution (RCE) vulnerability has been identified within the llamafactory training process, specifically affecting versions up to 0.9.3. This flaw allows attackers to execute arbitrary code on the host system by manipulating the Checkpoint path parameter through the WebUI interface. The exploitation is stealthy, leaving victims unaware of the compromise, and is rooted in the insecure loading of the vheadfile without the weightsonly=True safeguard. A patch is available in version 0.9.4.

Python

Détecte cette CVE dans ton projet

Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.

Téléverser requirements.txtFormats supportés: requirements.txt · Pipfile.lock

Impact et Scénarios d'Attaquetraduction en cours…

The impact of this vulnerability is severe. An attacker can gain complete control over the affected system by injecting malicious code through the Checkpoint path parameter. This could lead to data exfiltration, system compromise, and potential lateral movement within the network. The lack of awareness during exploitation further exacerbates the risk, as the attacker can operate undetected for an extended period. The vulnerability's reliance on the WebUI interface makes it accessible to attackers with minimal interaction, significantly broadening the potential attack surface. The absence of the weightsonly=True parameter during vheadfile loading is the direct cause, allowing arbitrary code execution.

Contexte d'Exploitationtraduction en cours…

This vulnerability is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge given the ease of exploitation. The CVSS score of 8.3 (HIGH) indicates a significant risk. The vulnerability's stealthy nature and ease of exploitation suggest a potential for active exploitation campaigns, particularly targeting environments utilizing llamafactory for training purposes. The vulnerability was publicly disclosed on 2025-06-27.

Qui Est à Risquetraduction en cours…

Organizations and individuals utilizing llamafactory for machine learning model training, particularly those running versions 0.9.3 or earlier, are at significant risk. This includes researchers, developers, and companies deploying llamafactory in production environments. Shared hosting environments where llamafactory is installed could also be vulnerable if the hosting provider hasn't applied the necessary updates.

Étapes de Détectiontraduction en cours…

• python / llamafactory:

import os
import subprocess

def check_llamafactory_version():
    try:
        result = subprocess.check_output(['llamafactory', '--version'], stderr=subprocess.STDOUT, text=True)
        version = result.strip()
        if version <= '0.9.3':
            print(f"Vulnerability detected: llamafactory version {version} is vulnerable.")
        else:
            print(f"llamafactory version {version} is patched.")
    except FileNotFoundError:
        print("llamafactory not found.")
    except subprocess.CalledProcessError as e:
        print(f"Error checking version: {e}")

check_llamafactory_version()

• generic web:

curl -I http://your-llamafactory-server/WebUI/checkpoint | grep -i 'checkpoint path'

• generic web: Check access logs for requests containing unusual or long Checkpoint path parameters.

Chronologie de l'Attaque

  1. Disclosure

    disclosure

  2. Patch

    patch

Renseignement sur les Menaces

Statut de l'Exploit

Preuve de ConceptInconnu
CISA KEVNO
Exposition InternetÉlevée

EPSS

1.62% (percentile 82%)

CISA SSVC

Exploitationpoc
Automatisableno
Impact Techniquepartial

Vecteur CVSS

RENSEIGNEMENT SUR LES MENACES· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H8.3HIGHAttack VectorNetworkComment l'attaquant atteint la cibleAttack ComplexityLowConditions requises pour exploiterPrivileges RequiredLowNiveau d'authentification requisUser InteractionNoneSi une action de la victime est requiseScopeUnchangedImpact au-delà du composant affectéConfidentialityHighRisque d'exposition de données sensiblesIntegrityLowRisque de modification non autorisée de donnéesAvailabilityHighRisque d'interruption de servicenextguardhq.com · Score de base CVSS v3.1
Que signifient ces métriques?
Attack Vector
Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
Attack Complexity
Faible — aucune condition spéciale requise. Exploitable de manière fiable.
Privileges Required
Faible — tout compte utilisateur valide est suffisant.
User Interaction
Aucune — attaque automatique et silencieuse. La victime ne fait rien.
Scope
Inchangé — impact limité au composant vulnérable.
Confidentiality
Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
Integrity
Faible — l'attaquant peut modifier certaines données avec un impact limité.
Availability
Élevé — panne complète ou épuisement des ressources. Déni de service total.

Logiciel Affecté

Composantllamafactory
Fournisseurosv
Plage affectéeCorrigé dans
< 0.9.4 – < 0.9.40.9.5
0.9.30.9.4

Classification de Faiblesse (CWE)

CWE-94CWE-502

Chronologie

  1. Réservé
  2. Publiée
  3. EPSS mis à jour
Corrigé 188 jours après la divulgation

Mitigation et Contournementstraduction en cours…

The primary mitigation is to immediately upgrade to llamafactory version 0.9.4 or later, which addresses the insecure file loading. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the WebUI interface to trusted users only. Implement input validation on the Checkpoint path parameter to prevent malicious input. Monitor system logs for suspicious activity related to file loading and execution. Consider using a Web Application Firewall (WAF) to filter potentially malicious requests. After upgrading, confirm the fix by attempting to load a checkpoint with a deliberately crafted, but harmless, path to verify that the weights_only=True parameter is now enforced.

Comment corrigertraduction en cours…

Actualice LLaMA-Factory a la versión 0.9.4 o superior. Esto corrige la vulnerabilidad de ejecución remota de código al cargar el archivo `vhead_file` con los parámetros de seguridad adecuados. La actualización previene la ejecución de código malicioso a través de la interfaz WebUI.

Newsletter Sécurité CVE

Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.

Questions fréquentestraduction en cours…

What is CVE-2025-53002 — RCE in llamafactory ≤0.9.3?

CVE-2025-53002 is a critical remote code execution vulnerability in llamafactory versions 0.9.3 and earlier. Attackers can execute arbitrary code via a malicious Checkpoint path parameter in the WebUI interface.

Am I affected by CVE-2025-53002 in llamafactory?

You are affected if you are using llamafactory version 0.9.3 or earlier. Upgrade to version 0.9.4 or later to mitigate the risk.

How do I fix CVE-2025-53002 in llamafactory?

Upgrade to llamafactory version 0.9.4 or later. As a temporary workaround, restrict access to the WebUI and validate input parameters.

Is CVE-2025-53002 being actively exploited?

While there's no confirmed active exploitation at this time, the vulnerability's ease of exploitation suggests a potential for future attacks.

Where can I find the official llamafactory advisory for CVE-2025-53002?

Refer to the llamafactory project's official repository and release notes for the advisory and update information.

Ton projet est-il affecté ?

Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.

Scanner gratuitementRechercher des CVE