Remote Code Execution through Jinja2 Chat Template Injection

Summary

llama-cpp-python is the Python bindings for llama.cpp. llama-cpp-python depends on class Llama in llama.py to load .gguf llama.cpp or Latency Machine Learning Models. The __init__ constructor built in the Llama takes several parameters to configure the loading and running of the model. Other than NUMA, LoRa settings, loading tokenizers, and hardware settings, __init__ also loads the chat template from targeted .gguf 's Metadata and furtherly parses it to llama_chat_format.Jinja2ChatFormatter.to_chat_handler() to construct the self.chat_handler for this model. Nevertheless, Jinja2ChatFormatter parse the chat template within the Metadate with sandbox-less jinja2.Environment, which is furthermore rendered in __call__ to construct the prompt of interaction. This allows jinja2 Server Side Template Injection which leads to remote code execution by a carefully constructed payload.

News Articles

The Hacker News

CVE-2024-34359CVE-2024-4367

Researchers Uncover Flaws in Python Package for AI Models and PDF.js Used by Firefox

Researchers uncover critical security flaws in two widely used software packages, llama_cpp_python for AI models and PDF.js used by the Firefox.

7 months ago

SecurityWeek

CVE-2024-34359

Critical Flaw in AI Python Package Can Lead to System and Data Compromise

A critical vulnerability tracked as CVE-2024-34359 and dubbed Llama Drama can allow hackers to target AI product developers.

7 months ago

SystemTek

CVE-2024-34359CVE-2024-30034

SystemTek - Technology news and information

Strategic Command facilitated a Five Eyes Combined Digital Leadership Forum in Portsmouth, bringing together Chief Information Officers, Chief Data Officers, Read More The American Radio Relay...

7 months ago

Refferences