CVE-2024-52803: LLama Factory Remote OS Command Injection Vulnerability

November 21, 2024

A critical remote OS command injection vulnerability has been identified in the Llama Factory training process. This vulnerability arises from improper handling of user input, allowing malicious actors to execute arbitrary OS commands on the host system. The issue is caused by insecure usage of the Popen function with shell=True, coupled with unsanitized user input. Immediate remediation is required to mitigate the risk.

References

github.com/advisories/GHSA-hj3w-wrh4-44vp
github.com/hiyouga/LLaMA-Factory
github.com/hiyouga/LLaMA-Factory/commit/b3aa80d54a67da45e9e237e349486fb9c162b2ac
github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-hj3w-wrh4-44vp
nvd.nist.gov/vuln/detail/CVE-2024-52803

Detect and mitigate CVE-2024-52803 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →