Remote OS Command Injection in LLama Factory from Hiyouga
CVE-2024-52803

Currently unrated

Key Information:

Vendor: Hiyouga
Status: LLama Factory
Vendor: CVE Published:; 21 November 2024

What is CVE-2024-52803?

A vulnerability has been discovered in the LLama Factory training process, where improper handling of user input can lead to remote OS command injection. This issue is primarily due to the insecure implementation of the Popen function with the shell=True parameter along with unsanitized user input. As a result, attackers can execute arbitrary commands on the host system. It is critical for users to upgrade to version 0.9.1 or later to prevent potential exploitation.

References

https://gist.github.com/superboy-zjc/f2d2b93ae511c445ba97...

https://github.com/hiyouga/LLaMA-Factory/commit/b3aa80d54...

https://github.com/hiyouga/LLaMA-Factory/security/advisor...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 21, 2024

CVE-2024-52803 Data

JSON