LLaMA-Factory, a tuning library for large language models, has been found to contain a high-severity remote code execution vulnerability. This vulnerability affects all versions up to and including 0.9.3, and it allows attackers to execute arbitrary code on the host system. The issue arises from the improper handling of the `vhead_file` parameter, which is loaded without sufficient safeguards during the LLaMA-Factory training process.
The vulnerability is particularly concerning as it can be exploited through the `WebUI` interface by passing a malicious `Checkpoint path` parameter. The nature of the attack is stealthy, allowing attackers to execute their code while the victim remains unaware. The root cause stems from the absence of a secure loading option, specifically the parameter `weights_only=True`. Version 0.9.4 has been released to address this issue.
Organizations using LLaMA-Factory should prioritize remediation to protect against potential exploitation of this vulnerability. The CVSS score of 8.3 indicates a high severity level, emphasizing the urgent need for immediate patching.
Risk to organizations includes potential unauthorized access and control over affected systems, leading to data breaches and operational disruptions.
Vulnerability Details
The vulnerability allows remote code execution due to improper handling of the `vhead_file` parameter in LLaMA-Factory versions up to and including 0.9.3. The vulnerability is classified under CWEs 94 (Code Injection) and 502 (Deserialization of Untrusted Data). The official description states that the `vhead_file` is loaded without proper safeguards, enabling malicious code execution.
The CVSS score of 9.8 from the NVD indicates a critical severity, while the score of 8.3 from GitHub denotes high severity. The difference arises from the specific parameters assessed, including the required privileges and the impact on confidentiality, integrity, and availability.
The vulnerability was published on June 26, 2025, and the last modification occurred on September 2, 2025. Organizations must ensure they are running version 0.9.4 or later to mitigate this risk.
Technical Analysis
The root cause of this vulnerability lies in the improper loading of the `vhead_file` parameter without adequate security checks. The attack vector is classified as network-based, allowing remote attackers to exploit the vulnerability without physical access to the system.
The attack complexity is low, and the privileges required are minimal, making it easier for attackers to exploit this vulnerability. No user interaction is needed, which further increases the risk. The vulnerability has high confidentiality and availability impact, alongside a low integrity impact.
Risk & Impact Analysis
The real-world deployment risk associated with this vulnerability is significant. Organizations utilizing LLaMA-Factory are exposed to potential unauthorized access and control over their systems. Attackers may leverage this vulnerability to execute arbitrary code, potentially leading to data breaches, service disruptions, and other serious consequences.
The blast radius for an attack exploiting this vulnerability is extensive, given that the affected software is used in various applications. Organizations should assess their exposure and the potential impact on their operations, as well as prioritize remediation based on the high CVSS score.
Organizations should address this vulnerability in their priority patch cycle to mitigate risks effectively.
Exploitation Status
Signal | Status |
|---|---|
Known Exploit | No |
Public PoC | No |
Actively Exploited | No |
Ransomware Use | No |
Affected Versions
The vulnerability affects all LLaMA-Factory versions up to and including 0.9.3. Organizations should upgrade to version 0.9.4 or later to mitigate this vulnerability.
Mitigation & Remediation
Organizations must prioritize patching to version 0.9.4 to remediate this vulnerability. In addition to applying updates, ensure that configurations are reviewed for security best practices. If immediate patching is not feasible, consider implementing network controls to restrict access to the vulnerable application.
For further guidance on effective security testing, organizations can refer to penetration testing services to evaluate their security posture.
Detection Guidance
To effectively detect potential exploitation of this vulnerability, organizations should monitor for unusual log indicators related to the use of the `vhead_file` parameter. Behavioral anomalies in application performance or unexpected server responses may also indicate exploitation attempts.
AppSecure Threat Intelligence Insight
This vulnerability highlights the ongoing risks associated with software libraries that lack proper validation checks. As organizations increasingly adopt AI and machine learning technologies, vulnerabilities in their underlying frameworks can have far-reaching implications. Security teams must remain vigilant and proactive in identifying and remediating such vulnerabilities.
For comprehensive security strategies, organizations should consider adopting a penetration testing methodology that encompasses regular security assessments.
Additionally, teams should stay updated with emerging threats through resources like the vulnerability management program which can aid in understanding current trends.
Ultimately, a robust security posture requires continuous monitoring and adaptation to the evolving threat landscape.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)