CVE-2024-52803

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-52803

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-52803.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-52803

Aliases

GHSA-hj3w-wrh4-44vp

Published

2024-11-21T17:15:24Z

Modified

2025-05-17T21:03:33Z

Summary

[none]

Details

LLama Factory enables fine-tuning of large language models. A critical remote OS command injection vulnerability has been identified in the LLama Factory training process. This vulnerability arises from improper handling of user input, allowing malicious actors to execute arbitrary OS commands on the host system. The issue is caused by insecure usage of the Popen function with shell=True, coupled with unsanitized user input. Immediate remediation is required to mitigate the risk. This vulnerability is fixed in 0.9.1.

References

Affected packages

Git / github.com/hiyouga/llama-factory

Affected ranges

Type: GIT
Repo: https://github.com/hiyouga/llama-factory
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

b3aa80d54a67da45e9e237e349486fb9c162b2ac