CVE-2025-46567: LLaMA Factory RCE — HIGH

Q: Is CVE-2025-46567 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-46567, increasing the risk of exploitation.

Q: How to fix CVE-2025-46567?

1. PATCH: Upgrade llamafactory (pip) to >= 0.9.3 immediately. Verify: pip show llamafactory | grep Version. 2. WORKAROUND (if patching is blocked): Replace torch.load(path) calls in llamafy_baichuan2.py with torch.load(path, weights_only=True) — this disables pickle execution and restricts loading to tensor data only. 3. PROCESS CONTROLS: Enforce a model provenance policy — only load .bin/.pt/.pth files from verified, hash-checked sources. Reject model files from unverified contributors or public repos without security review. 4. DETECTION: Scan running instances for llamafactory < 0.9.3 via pip audit or Trivy. Add network monitoring alerts for unexpected outbound connections from ML training nodes. 5. HARDENING: Run fine-tuning jobs in isolated containers with no network egress and minimal filesystem access. Use tools like torch's SafeTensors format (.safetensors) as the standard for internal model distribution.

Q: What systems are affected by CVE-2025-46567?

This vulnerability affects the following AI/ML architecture patterns: LLM fine-tuning pipelines, Model conversion and preprocessing workflows, Shared GPU training clusters, CI/CD-driven ML training automation, On-premises model registries.

Q: What is the CVSS score for CVE-2025-46567?

CVE-2025-46567 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.23%.

CISO Take

If your team uses LLaMA-Factory for fine-tuning LLMs — especially with Baichuan2 models — upgrade to llamafactory 0.9.3 immediately. A malicious .bin file processed by the conversion script triggers arbitrary code execution via Python pickle deserialization in torch.load(). The real threat vector is model-sharing workflows: poisoned checkpoints distributed via model hubs, internal NAS, or email bypass most perimeter controls.

What is the risk?

Effective risk is higher than CVSS 7.8 suggests in AI/ML environments. The 'User Interaction Required' caveat is misleading — in ML workflows, loading model checkpoints is routine, not suspicious. EPSS (0.00232) reflects low exploitation in the wild today, but the technique is well-known in the ML security community (pickle deserialization). Any organization running LLaMA-Factory < 0.9.3 with externally sourced model weights is exposed. On-premises fine-tuning labs and shared GPU clusters are particularly at risk due to trusted-network assumptions and lack of endpoint controls on ML tooling.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LLaMA Factory	pip	—	No patch
LLaMA Factory	pip	<= 0.9.2	`0.9.3`
72.3K 1 dependents Pushed 6d ago 75% patched ~167d to patch Full package profile →

How severe is it?

CVSS 3.1

7.8 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 14% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

5 steps

PATCH

Upgrade llamafactory (pip) to >= 0.9.3 immediately. Verify: pip show llamafactory | grep Version.
WORKAROUND (if patching is blocked): Replace torch.load(path) calls in llamafy_baichuan2.py with torch.load(path, weights_only=True) — this disables pickle execution and restricts loading to tensor data only.
PROCESS CONTROLS

Enforce a model provenance policy — only load .bin/.pt/.pth files from verified, hash-checked sources. Reject model files from unverified contributors or public repos without security review.
DETECTION

Scan running instances for llamafactory < 0.9.3 via pip audit or Trivy. Add network monitoring alerts for unexpected outbound connections from ML training nodes.
HARDENING

Run fine-tuning jobs in isolated containers with no network egress and minimal filesystem access. Use tools like torch's SafeTensors format (.safetensors) as the standard for internal model distribution.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Training Data AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0058 - Publish Poisoned Models

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system

ISO 42001

A.10.1 - Information security for AI systems A.6.2.6 - AI supply chain management

NIST AI RMF

GV-6.1 - AI supply chain risk management MS-2.5 - Practices for monitoring AI risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2025-46567?

If your team uses LLaMA-Factory for fine-tuning LLMs — especially with Baichuan2 models — upgrade to llamafactory 0.9.3 immediately. A malicious .bin file processed by the conversion script triggers arbitrary code execution via Python pickle deserialization in torch.load(). The real threat vector is model-sharing workflows: poisoned checkpoints distributed via model hubs, internal NAS, or email bypass most perimeter controls.

Is CVE-2025-46567 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-46567, increasing the risk of exploitation.

How to fix CVE-2025-46567?

1. PATCH: Upgrade llamafactory (pip) to >= 0.9.3 immediately. Verify: pip show llamafactory | grep Version. 2. WORKAROUND (if patching is blocked): Replace torch.load(path) calls in llamafy_baichuan2.py with torch.load(path, weights_only=True) — this disables pickle execution and restricts loading to tensor data only. 3. PROCESS CONTROLS: Enforce a model provenance policy — only load .bin/.pt/.pth files from verified, hash-checked sources. Reject model files from unverified contributors or public repos without security review. 4. DETECTION: Scan running instances for llamafactory < 0.9.3 via pip audit or Trivy. Add network monitoring alerts for unexpected outbound connections from ML training nodes. 5. HARDENING: Run fine-tuning jobs in isolated containers with no network egress and minimal filesystem access. Use tools like torch's SafeTensors format (.safetensors) as the standard for internal model distribution.

What systems are affected by CVE-2025-46567?

This vulnerability affects the following AI/ML architecture patterns: LLM fine-tuning pipelines, Model conversion and preprocessing workflows, Shared GPU training clusters, CI/CD-driven ML training automation, On-premises model registries.

What is the CVSS score for CVE-2025-46567?

CVE-2025-46567 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.23%.

What is the AI security impact?

Affected AI Architectures

LLM fine-tuning pipelinesModel conversion and preprocessing workflowsShared GPU training clustersCI/CD-driven ML training automationOn-premises model registries

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011 User Execution

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0058 Publish Poisoned Models

Compliance Controls Affected

EU AI Act: Art. 15, Art. 9

ISO 42001: A.10.1, A.6.2.6

NIST AI RMF: GV-6.1, MS-2.5

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

LLama Factory enables fine-tuning of large language models. Prior to version 1.0.0, a critical vulnerability exists in the `llamafy_baichuan2.py` script of the LLaMA-Factory project. The script performs insecure deserialization using `torch.load()` on user-supplied `.bin` files from an input directory. An attacker can exploit this behavior by crafting a malicious `.bin` file that executes arbitrary commands during deserialization. This issue has been patched in version 1.0.0.

Exploitation Scenario

An adversary targeting an ML engineering team crafts a malicious Baichuan2-formatted .bin file containing a pickle payload that establishes a reverse shell or exfiltrates environment variables (including API keys and cloud credentials). They upload this file to a public Hugging Face repository under a convincing model name (e.g., 'Baichuan2-7B-optimized') or inject it into an internal model registry via a compromised contributor account. When an ML engineer runs the standard LLaMA-Factory Baichuan2 conversion pipeline — a routine step before fine-tuning — torch.load() deserializes the payload and executes attacker-controlled code with the engineer's privileges. On a shared GPU cluster, this can pivot to other users' training jobs, steal in-progress model weights, or plant backdoors in fine-tuned model outputs.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary CWE-502 Deserialization of Untrusted Data

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.