Description
LLaMA-Factory through 0.9.5 contains a remote code execution vulnerability that allows attackers with WebUI access to execute arbitrary Python code by supplying a malicious model path in the Chat or Training interfaces. The application passes user-supplied model path input unvalidated into AutoTokenizer.from_pretrained() and AutoModel.from_pretrained() with a hardcoded trust_remote_code=True parameter, causing the Hugging Face transformers library to fetch and execute arbitrary code from a remote or local model repository with the privileges of the server process.
Problem types
Inclusion of Functionality from Untrusted Control Sphere
Improper Control of Generation of Code ('Code Injection')
Product status
Any version
Credits
h3nrrrych4u
References
gist.github.com/henrrrychau/08d76ec672f42136bbc1449c4f2973f8 (Researcher Disclosure)
www.vulncheck.com/...ote-code-execution-via-webui-model-path