AI Threat Alert AI Threat Alert

CVE-2025-46567: LLaMA-Factory: RCE via torch.load() unsafe deserialization

GHSA-f2f7-gj54-6vpv HIGH PoC AVAILABLE CISA: TRACK*
Published May 1, 2025
CISO Take

If your team uses LLaMA-Factory for fine-tuning LLMs — especially with Baichuan2 models — upgrade to llamafactory 0.9.3 immediately. A malicious .bin file processed by the conversion script triggers arbitrary code execution via Python pickle deserialization in torch.load(). The real threat vector is model-sharing workflows: poisoned checkpoints distributed via model hubs, internal NAS, or email bypass most perimeter controls.

Risk Assessment

Effective risk is higher than CVSS 7.8 suggests in AI/ML environments. The 'User Interaction Required' caveat is misleading — in ML workflows, loading model checkpoints is routine, not suspicious. EPSS (0.00232) reflects low exploitation in the wild today, but the technique is well-known in the ML security community (pickle deserialization). Any organization running LLaMA-Factory < 0.9.3 with externally sourced model weights is exposed. On-premises fine-tuning labs and shared GPU clusters are particularly at risk due to trusted-network assumptions and lack of endpoint controls on ML tooling.

Affected Systems

Package Ecosystem Vulnerable Range Patched
llama-factory pip No patch
llamafactory pip <= 0.9.2 0.9.3
70.8K 1 dependents Pushed 8d ago 75% patched ~167d to patch Full package profile →

Severity & Risk

CVSS 3.1
7.8 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 46% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR None
UI Required
S Unchanged
C High
I High
A High

Recommended Action

5 steps

  1. PATCH

    Upgrade llamafactory (pip) to >= 0.9.3 immediately. Verify: pip show llamafactory | grep Version.

  2. WORKAROUND (if patching is blocked): Replace torch.load(path) calls in llamafy_baichuan2.py with torch.load(path, weights_only=True) — this disables pickle execution and restricts loading to tensor data only.

  3. PROCESS CONTROLS

    Enforce a model provenance policy — only load .bin/.pt/.pth files from verified, hash-checked sources. Reject model files from unverified contributors or public repos without security review.

  4. DETECTION

    Scan running instances for llamafactory < 0.9.3 via pip audit or Trivy. Add network monitoring alerts for unexpected outbound connections from ML training nodes.

  5. HARDENING

    Run fine-tuning jobs in isolated containers with no network egress and minimal filesystem access. Use tools like torch's SafeTensors format (.safetensors) as the standard for internal model distribution.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Training Data AML.T0010.001 AML.T0011 AML.T0011.000 AML.T0018.002 AML.T0058

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system
ISO 42001
A.10.1 - Information security for AI systems A.6.2.6 - AI supply chain management
NIST AI RMF
GV-6.1 - AI supply chain risk management MS-2.5 - Practices for monitoring AI risks
OWASP LLM Top 10
LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2025-46567?

If your team uses LLaMA-Factory for fine-tuning LLMs — especially with Baichuan2 models — upgrade to llamafactory 0.9.3 immediately. A malicious .bin file processed by the conversion script triggers arbitrary code execution via Python pickle deserialization in torch.load(). The real threat vector is model-sharing workflows: poisoned checkpoints distributed via model hubs, internal NAS, or email bypass most perimeter controls.

Is CVE-2025-46567 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-46567, increasing the risk of exploitation.

How to fix CVE-2025-46567?

1. PATCH: Upgrade llamafactory (pip) to >= 0.9.3 immediately. Verify: pip show llamafactory | grep Version. 2. WORKAROUND (if patching is blocked): Replace torch.load(path) calls in llamafy_baichuan2.py with torch.load(path, weights_only=True) — this disables pickle execution and restricts loading to tensor data only. 3. PROCESS CONTROLS: Enforce a model provenance policy — only load .bin/.pt/.pth files from verified, hash-checked sources. Reject model files from unverified contributors or public repos without security review. 4. DETECTION: Scan running instances for llamafactory < 0.9.3 via pip audit or Trivy. Add network monitoring alerts for unexpected outbound connections from ML training nodes. 5. HARDENING: Run fine-tuning jobs in isolated containers with no network egress and minimal filesystem access. Use tools like torch's SafeTensors format (.safetensors) as the standard for internal model distribution.

What systems are affected by CVE-2025-46567?

This vulnerability affects the following AI/ML architecture patterns: LLM fine-tuning pipelines, Model conversion and preprocessing workflows, Shared GPU training clusters, CI/CD-driven ML training automation, On-premises model registries.

What is the CVSS score for CVE-2025-46567?

CVE-2025-46567 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.23%.

Technical Details

NVD Description

LLama Factory enables fine-tuning of large language models. Prior to version 1.0.0, a critical vulnerability exists in the `llamafy_baichuan2.py` script of the LLaMA-Factory project. The script performs insecure deserialization using `torch.load()` on user-supplied `.bin` files from an input directory. An attacker can exploit this behavior by crafting a malicious `.bin` file that executes arbitrary commands during deserialization. This issue has been patched in version 1.0.0.

Exploitation Scenario

An adversary targeting an ML engineering team crafts a malicious Baichuan2-formatted .bin file containing a pickle payload that establishes a reverse shell or exfiltrates environment variables (including API keys and cloud credentials). They upload this file to a public Hugging Face repository under a convincing model name (e.g., 'Baichuan2-7B-optimized') or inject it into an internal model registry via a compromised contributor account. When an ML engineer runs the standard LLaMA-Factory Baichuan2 conversion pipeline — a routine step before fine-tuning — torch.load() deserializes the payload and executes attacker-controlled code with the engineer's privileges. On a shared GPU cluster, this can pivot to other users' training jobs, steal in-progress model weights, or plant backdoors in fine-tuned model outputs.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary CWE-502

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Timeline

Published
May 1, 2025
Last Modified
June 28, 2025
First Seen
May 1, 2025

Related Vulnerabilities

CRITICAL CVE-2024-52803 9.8

LlamaFactory: RCE via OS command injection in training

Same package: llamafactory
CRITICAL CVE-2025-53002 9.8

LLaMA-Factory: RCE via unsafe checkpoint deserialization

Same package: llamafactory
HIGH CVE-2025-61784 8.1

LLaMA-Factory: SSRF+LFI in multimodal chat API

Same package: llamafactory
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Supply Chain
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Supply Chain
Back to Threat Feed