cve-2025-53002
Vulnerability from cvelistv5
Published
2025-06-26 14:40
Modified
2025-06-26 15:12
Severity ?
EPSS score ?
Summary
LLaMA-Factory Remote Code Execution (RCE) Vulnerability
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| hiyouga | LLaMA-Factory |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53002",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-26T15:05:57.527009Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-26T15:12:51.382Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "LLaMA-Factory",
"vendor": "hiyouga",
"versions": [
{
"status": "affected",
"version": "\u003c 0.9.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LLaMA-Factory is a tuning library for large language models. A remote code execution vulnerability was discovered in LLaMA-Factory versions up to and including 0.9.3 during the LLaMA-Factory training process. This vulnerability arises because the `vhead_file` is loaded without proper safeguards, allowing malicious attackers to execute arbitrary malicious code on the host system simply by passing a malicious `Checkpoint path` parameter through the `WebUI` interface. The attack is stealthy, as the victim remains unaware of the exploitation. The root cause is that the `vhead_file` argument is loaded without the secure parameter `weights_only=True`. Version 0.9.4 contains a fix for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-26T14:40:52.764Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-xj56-p8mm-qmxj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-xj56-p8mm-qmxj"
},
{
"name": "https://github.com/hiyouga/LLaMA-Factory/commit/bb7bf51554d4ba8432333c35a5e3b52705955ede",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hiyouga/LLaMA-Factory/commit/bb7bf51554d4ba8432333c35a5e3b52705955ede"
},
{
"name": "https://drive.google.com/file/d/1AddKm2mllsXfuvL4Tvbn_WJdjEOYXx4y/view?usp=sharing",
"tags": [
"x_refsource_MISC"
],
"url": "https://drive.google.com/file/d/1AddKm2mllsXfuvL4Tvbn_WJdjEOYXx4y/view?usp=sharing"
}
],
"source": {
"advisory": "GHSA-xj56-p8mm-qmxj",
"discovery": "UNKNOWN"
},
"title": "LLaMA-Factory Remote Code Execution (RCE) Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53002",
"datePublished": "2025-06-26T14:40:52.764Z",
"dateReserved": "2025-06-24T03:50:36.795Z",
"dateUpdated": "2025-06-26T15:12:51.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-53002\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-06-26T15:15:23.873\",\"lastModified\":\"2025-09-02T17:49:44.077\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"LLaMA-Factory is a tuning library for large language models. A remote code execution vulnerability was discovered in LLaMA-Factory versions up to and including 0.9.3 during the LLaMA-Factory training process. This vulnerability arises because the `vhead_file` is loaded without proper safeguards, allowing malicious attackers to execute arbitrary malicious code on the host system simply by passing a malicious `Checkpoint path` parameter through the `WebUI` interface. The attack is stealthy, as the victim remains unaware of the exploitation. The root cause is that the `vhead_file` argument is loaded without the secure parameter `weights_only=True`. Version 0.9.4 contains a fix for the issue.\"},{\"lang\":\"es\",\"value\":\"LLaMA-Factory es una librer\u00eda de optimizaci\u00f3n para modelos de lenguaje grandes. Se descubri\u00f3 una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo en versiones de LLaMA-Factory hasta la 0.9.3 (incluida) durante su entrenamiento. Esta vulnerabilidad surge porque el `vhead_file` se carga sin las protecciones adecuadas, lo que permite a atacantes maliciosos ejecutar c\u00f3digo malicioso arbitrario en el sistema host simplemente pasando el par\u00e1metro `Checkpoint path` malicioso a trav\u00e9s de la interfaz `WebUI`. El ataque es sigiloso, ya que la v\u00edctima desconoce la explotaci\u00f3n. La causa principal es que el argumento `vhead_file` se carga sin el par\u00e1metro seguro `weights_only=True`. La versi\u00f3n 0.9.4 contiene una soluci\u00f3n para este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H\",\"baseScore\":8.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"},{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hiyouga:llama-factory:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.9.4\",\"matchCriteriaId\":\"B9CFDBF9-20D2-4910-BD79-B1F8F7F60071\"}]}]}],\"references\":[{\"url\":\"https://drive.google.com/file/d/1AddKm2mllsXfuvL4Tvbn_WJdjEOYXx4y/view?usp=sharing\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\"]},{\"url\":\"https://github.com/hiyouga/LLaMA-Factory/commit/bb7bf51554d4ba8432333c35a5e3b52705955ede\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-xj56-p8mm-qmxj\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\",\"Exploit\"]}]}}"
}
}
ghsa-xj56-p8mm-qmxj
Vulnerability from github
Published
2025-06-27 15:27
Modified
2025-06-27 15:27
Severity ?
Summary
LLaMA-Factory allows Code Injection through improper vhead_file safeguards
Details
Summary
A critical remote code execution vulnerability was discovered during the Llama Factory training process. This vulnerability arises because the vhead_file is loaded without proper safeguards, allowing malicious attackers to execute arbitrary malicious code on the host system simply by passing a malicious Checkpoint path parameter through the WebUI interface. The attack is stealthy, as the victim remains unaware of the exploitation. The root cause is that the vhead_file argument is loaded without the secure parameter weights_only=True.
Note: In torch versions <2.6, the default setting is weights_only=False, and Llama Factory's setup.py only requires torch>=2.0.0.
Affected Version
Llama Factory versions <=0.9.3 are affected by this vulnerability.
Details
-
In LLaMA Factory's WebUI, when a user sets the
Checkpoint path, it modifies theadapter_name_or_pathparameter passed to the training process. code in src/llamafactory/webui/runner.py -
The
adapter_name_or_pathpassed to the training process is then used insrc/llamafactory/model/model_utils/valuehead.pyto fetch the correspondingvalue_head.binfile from Hugging Face. This file is subsequently loaded viatorch.load()without the security parameterweights_only=Truebeing set, resulting in remote code execution. code in src/llamafactory/model/model_utils/valuehead.py
PoC
Steps to Reproduce
- Deploy llama factory.
- Remote attack through the WebUI interface
- Configure
Model nameandModel pathcorrectly. For demonstration purposes, we'll use a small modelllamafactory/tiny-random-Llama-3to accelerate model loading. - Set
Finetuning methodtoLoRAandTrain StagetoReward Modeling. The vulnerability is specifically triggered during the Reward Modeling training stage. - Input a malicious Hugging Face path in
Checkpoint path– here we usepaulinsider/llamafactory-hack. This repository(https://huggingface.co/paulinsider/llamafactory-hack/tree/main ) contains a maliciousvalue_head.binfile. The generation method for this file is as follows (it can execute arbitrary attack commands; for demonstration, we configured it to create aHACKED!folder). - Click
Startto begin training. After a brief wait, aHACKED!folder will be created on the server. Note that arbitrary malicious code could be executed through this method.
- Configure
The video demonstration of the vulnerability exploitation is available at the Google Drive Link
Impact
Exploitation of this vulnerability allows remote attackers to: - Execute arbitrary malicious code / OS commands on the server. - Potentially compromise sensitive data or escalate privileges. - Deploy malware or create persistent backdoors in the system. This significantly increases the risk of data breaches and operational disruption.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "llamafactory"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.9.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53002"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-27T15:27:01Z",
"nvd_published_at": "2025-06-26T15:15:23Z",
"severity": "HIGH"
},
"details": "### Summary\nA critical remote code execution vulnerability was discovered during the Llama Factory training process. This vulnerability arises because the `vhead_file` is loaded without proper safeguards, allowing malicious attackers to execute arbitrary malicious code on the host system simply by passing a malicious `Checkpoint path` parameter through the `WebUI` interface. The attack is stealthy, as the victim remains unaware of the exploitation. The root cause is that the `vhead_file` argument is loaded without the secure parameter `weights_only=True`.\n\nNote: In torch versions \u003c2.6, the default setting is `weights_only=False`, and Llama Factory\u0027s `setup.py` only requires `torch\u003e=2.0.0`.\n\n### Affected Version\n\nLlama Factory versions \u003c=0.9.3 are affected by this vulnerability.\n\n### Details\n\n1. In LLaMA Factory\u0027s WebUI, when a user sets the `Checkpoint path`, it modifies the `adapter_name_or_path` parameter passed to the training process.\ncode in src/llamafactory/webui/runner.py\n\u003cimg width=\"1040\" alt=\"image-1\" src=\"https://github.com/user-attachments/assets/c8bc79e4-ce7d-43c9-b0fd-e37c235e6585\" /\u003e\n\n2. The `adapter_name_or_path` passed to the training process is then used in `src/llamafactory/model/model_utils/valuehead.py` to fetch the corresponding `value_head.bin` file from Hugging Face. This file is subsequently loaded via `torch.load()` without the security parameter `weights_only=True` being set, resulting in remote code execution.\ncode in src/llamafactory/model/model_utils/valuehead.py\n\u003cimg width=\"1181\" alt=\"image-2\" src=\"https://github.com/user-attachments/assets/6edbe694-0c60-4a54-bfb3-5e1042c9230d\" /\u003e\n\n### PoC\n\n#### Steps to Reproduce\n\n1. Deploy llama factory.\n2. Remote attack through the WebUI interface\n 1. Configure `Model name` and `Model path` correctly. For demonstration purposes, we\u0027ll use a small model `llamafactory/tiny-random-Llama-3` to accelerate model loading.\n 2. Set `Finetuning method` to `LoRA` and `Train Stage` to `Reward Modeling`. The vulnerability is specifically triggered during the Reward Modeling training stage.\n 3. Input a malicious Hugging Face path in `Checkpoint path` \u2013 here we use `paulinsider/llamafactory-hack`. This repository(https://huggingface.co/paulinsider/llamafactory-hack/tree/main ) contains a malicious `value_head.bin` file. The generation method for this file is as follows (it can execute arbitrary attack commands; for demonstration, we configured it to create a `HACKED!` folder).\n 4. Click `Start` to begin training. After a brief wait, a `HACKED!` folder will be created on the server. Note that arbitrary malicious code could be executed through this method.\n\n**The video demonstration of the vulnerability exploitation is available at the** [Google Drive Link](https://drive.google.com/file/d/1AddKm2mllsXfuvL4Tvbn_WJdjEOYXx4y/view?usp=sharing) \n\n### Impact\nExploitation of this vulnerability allows remote attackers to:\n - Execute arbitrary malicious code / OS commands on the server.\n - Potentially compromise sensitive data or escalate privileges.\n - Deploy malware or create persistent backdoors in the system.\nThis significantly increases the risk of data breaches and operational disruption.",
"id": "GHSA-xj56-p8mm-qmxj",
"modified": "2025-06-27T15:27:02Z",
"published": "2025-06-27T15:27:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-xj56-p8mm-qmxj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53002"
},
{
"type": "WEB",
"url": "https://github.com/hiyouga/LLaMA-Factory/commit/bb7bf51554d4ba8432333c35a5e3b52705955ede"
},
{
"type": "PACKAGE",
"url": "https://github.com/hiyouga/LLaMA-Factory"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "LLaMA-Factory allows Code Injection through improper vhead_file safeguards"
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.