Gratis scannen
HIGHCVE-2025-53002CVSS 8.3

LLaMA-Factory allows Code Injection through improper vhead_file safeguards

wordt vertaald…

Platform

python

Component

llamafactory

Opgelost in

0.9.5

0.9.4

AI Confidence: highNVDEPSS 1.6%Beoordeeld: mei 2026
Bekijk op NVD
Opslaan
Wordt vertaald naar uw taal…

A critical remote code execution (RCE) vulnerability has been identified within the llamafactory training process, specifically affecting versions up to 0.9.3. This flaw allows attackers to execute arbitrary code on the host system by manipulating the Checkpoint path parameter through the WebUI interface. The exploitation is stealthy, leaving victims unaware of the compromise, and is rooted in the insecure loading of the vheadfile without the weightsonly=True safeguard. A patch is available in version 0.9.4.

Python

Detecteer deze CVE in je project

Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.

requirements.txt uploadenOndersteunde formaten: requirements.txt · Pipfile.lock

Impact en Aanvalsscenarioswordt vertaald…

The impact of this vulnerability is severe. An attacker can gain complete control over the affected system by injecting malicious code through the Checkpoint path parameter. This could lead to data exfiltration, system compromise, and potential lateral movement within the network. The lack of awareness during exploitation further exacerbates the risk, as the attacker can operate undetected for an extended period. The vulnerability's reliance on the WebUI interface makes it accessible to attackers with minimal interaction, significantly broadening the potential attack surface. The absence of the weightsonly=True parameter during vheadfile loading is the direct cause, allowing arbitrary code execution.

Uitbuitingscontextwordt vertaald…

This vulnerability is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge given the ease of exploitation. The CVSS score of 8.3 (HIGH) indicates a significant risk. The vulnerability's stealthy nature and ease of exploitation suggest a potential for active exploitation campaigns, particularly targeting environments utilizing llamafactory for training purposes. The vulnerability was publicly disclosed on 2025-06-27.

Wie Loopt Risicowordt vertaald…

Organizations and individuals utilizing llamafactory for machine learning model training, particularly those running versions 0.9.3 or earlier, are at significant risk. This includes researchers, developers, and companies deploying llamafactory in production environments. Shared hosting environments where llamafactory is installed could also be vulnerable if the hosting provider hasn't applied the necessary updates.

Detectiestappenwordt vertaald…

• python / llamafactory:

import os
import subprocess

def check_llamafactory_version():
    try:
        result = subprocess.check_output(['llamafactory', '--version'], stderr=subprocess.STDOUT, text=True)
        version = result.strip()
        if version <= '0.9.3':
            print(f"Vulnerability detected: llamafactory version {version} is vulnerable.")
        else:
            print(f"llamafactory version {version} is patched.")
    except FileNotFoundError:
        print("llamafactory not found.")
    except subprocess.CalledProcessError as e:
        print(f"Error checking version: {e}")

check_llamafactory_version()

• generic web:

curl -I http://your-llamafactory-server/WebUI/checkpoint | grep -i 'checkpoint path'

• generic web: Check access logs for requests containing unusual or long Checkpoint path parameters.

Aanvalstijdlijn

  1. Disclosure

    disclosure

  2. Patch

    patch

Dreigingsinformatie

Exploit Status

Proof of ConceptOnbekend
CISA KEVNO
InternetblootstellingHoog

EPSS

1.62% (82% percentiel)

CISA SSVC

Exploitatiepoc
Automatiseerbaarno
Technische Impactpartial

CVSS-vector

DREIGINGSINFORMATIE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H8.3HIGHAttack VectorNetworkHoe de aanvaller het doel bereiktAttack ComplexityLowVereiste omstandigheden om te exploiterenPrivileges RequiredLowVereist authenticatieniveau voor aanvalUser InteractionNoneOf het slachtoffer actie moet ondernemenScopeUnchangedImpact buiten het getroffen onderdeelConfidentialityHighRisico op blootstelling van gevoelige dataIntegrityLowRisico op ongeautoriseerde gegevenswijzigingAvailabilityHighRisico op verstoring van dienstennextguardhq.com · CVSS v3.1 Basisscore
Wat betekenen deze metrics?
Attack Vector
Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
Attack Complexity
Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
Privileges Required
Laag — elk geldig gebruikersaccount is voldoende.
User Interaction
Geen — automatische en stille aanval. Slachtoffer doet niets.
Scope
Ongewijzigd — impact beperkt tot het kwetsbare component.
Confidentiality
Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
Integrity
Laag — aanvaller kan enkele gegevens met beperkte omvang aanpassen.
Availability
Hoog — volledige crash of uitputting van resources. Totale denial of service.

Getroffen Software

Componentllamafactory
Leverancierosv
Getroffen bereikOpgelost in
< 0.9.4 – < 0.9.40.9.5
0.9.30.9.4

Zwakheidsclassificatie (CWE)

CWE-94CWE-502

Tijdlijn

  1. Gereserveerd
  2. Gepubliceerd
  3. EPSS bijgewerkt
188 dagen na openbaarmaking gepatcht

Mitigatie en Workaroundswordt vertaald…

The primary mitigation is to immediately upgrade to llamafactory version 0.9.4 or later, which addresses the insecure file loading. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the WebUI interface to trusted users only. Implement input validation on the Checkpoint path parameter to prevent malicious input. Monitor system logs for suspicious activity related to file loading and execution. Consider using a Web Application Firewall (WAF) to filter potentially malicious requests. After upgrading, confirm the fix by attempting to load a checkpoint with a deliberately crafted, but harmless, path to verify that the weights_only=True parameter is now enforced.

Hoe te verhelpenwordt vertaald…

Actualice LLaMA-Factory a la versión 0.9.4 o superior. Esto corrige la vulnerabilidad de ejecución remota de código al cargar el archivo `vhead_file` con los parámetros de seguridad adecuados. La actualización previene la ejecución de código malicioso a través de la interfaz WebUI.

CVE Beveiligingsnieuwsbrief

Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.

Veelgestelde vragenwordt vertaald…

What is CVE-2025-53002 — RCE in llamafactory ≤0.9.3?

CVE-2025-53002 is a critical remote code execution vulnerability in llamafactory versions 0.9.3 and earlier. Attackers can execute arbitrary code via a malicious Checkpoint path parameter in the WebUI interface.

Am I affected by CVE-2025-53002 in llamafactory?

You are affected if you are using llamafactory version 0.9.3 or earlier. Upgrade to version 0.9.4 or later to mitigate the risk.

How do I fix CVE-2025-53002 in llamafactory?

Upgrade to llamafactory version 0.9.4 or later. As a temporary workaround, restrict access to the WebUI and validate input parameters.

Is CVE-2025-53002 being actively exploited?

While there's no confirmed active exploitation at this time, the vulnerability's ease of exploitation suggests a potential for future attacks.

Where can I find the official llamafactory advisory for CVE-2025-53002?

Refer to the llamafactory project's official repository and release notes for the advisory and update information.

Is jouw project getroffen?

Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.

Gratis scannenCVEs zoeken