AI Threat Alert AI Threat Alert

CVE-2025-53002: LLaMA-Factory: RCE via unsafe checkpoint deserialization

GHSA-xj56-p8mm-qmxj CRITICAL PoC AVAILABLE CISA: TRACK*
Published June 26, 2025
CISO Take

Any organization fine-tuning LLMs with LLaMA-Factory v0.9.3 or earlier is exposed to unauthenticated remote code execution on training infrastructure — no credentials or user interaction required. Upgrade to v0.9.4 immediately and restrict WebUI access to trusted networks only. Training hosts are high-value targets: compromise means full access to proprietary datasets, model weights, and adjacent infrastructure.

Risk Assessment

Exceptionally high risk. CVSS 9.8 with network-accessible attack vector, zero authentication, and zero user interaction makes this trivially weaponizable. The attack surface is ML training infrastructure — environments that typically hold sensitive data, GPU clusters, and cloud credentials. EPSS of 1.6% is low but misleading given that the exploitation technique (pickle deserialization via a crafted checkpoint path in a WebUI) requires no specialized knowledge and working PoC exists publicly. Organizations running internal training platforms without network segmentation face imminent risk.

Affected Systems

Package Ecosystem Vulnerable Range Patched
llama-factory pip No patch
llamafactory pip <= 0.9.3 No patch
70.8K 1 dependents Pushed 8d ago 75% patched ~167d to patch Full package profile →

Severity & Risk

CVSS 3.1
9.8 / 10
EPSS
4.2%
chance of exploitation in 30 days
Higher than 89% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

Recommended Action

6 steps

  1. Patch immediately

    Upgrade LLaMA-Factory to v0.9.4 (adds weights_only=True to torch.load() calls).

  2. Network isolation

    Restrict WebUI (default port 7860) to localhost or VPN-only — never expose to the internet or untrusted networks.

  3. Checkpoint validation

    Audit all external checkpoint sources; only load weights from trusted, verified repositories.

  4. Detection

    Monitor training hosts for unexpected outbound connections (reverse shell indicators), unusual process spawning from Python processes, and access to the WebUI from unexpected IPs.

  5. Secrets audit

    Rotate any cloud credentials, API keys, or tokens stored on affected training hosts as a precaution.

  6. Container isolation

    Run training workloads in isolated containers with no host-network access to limit blast radius.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Model AML.T0010.001 AML.T0011.000 AML.T0018.002 AML.T0035 AML.T0049 AML.T0072

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.1.3 - AI risk treatment A.8.2 - AI system technical security
NIST AI RMF
GOVERN 6.1 - Policies and procedures for AI risk management are established MEASURE 2.5 - AI system vulnerabilities and impacts are identified
OWASP LLM Top 10
LLM03 - Supply Chain LLM04 - Data and Model Poisoning

Frequently Asked Questions

What is CVE-2025-53002?

Any organization fine-tuning LLMs with LLaMA-Factory v0.9.3 or earlier is exposed to unauthenticated remote code execution on training infrastructure — no credentials or user interaction required. Upgrade to v0.9.4 immediately and restrict WebUI access to trusted networks only. Training hosts are high-value targets: compromise means full access to proprietary datasets, model weights, and adjacent infrastructure.

Is CVE-2025-53002 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-53002, increasing the risk of exploitation.

How to fix CVE-2025-53002?

1. **Patch immediately**: Upgrade LLaMA-Factory to v0.9.4 (adds `weights_only=True` to `torch.load()` calls). 2. **Network isolation**: Restrict WebUI (default port 7860) to localhost or VPN-only — never expose to the internet or untrusted networks. 3. **Checkpoint validation**: Audit all external checkpoint sources; only load weights from trusted, verified repositories. 4. **Detection**: Monitor training hosts for unexpected outbound connections (reverse shell indicators), unusual process spawning from Python processes, and access to the WebUI from unexpected IPs. 5. **Secrets audit**: Rotate any cloud credentials, API keys, or tokens stored on affected training hosts as a precaution. 6. **Container isolation**: Run training workloads in isolated containers with no host-network access to limit blast radius.

What systems are affected by CVE-2025-53002?

This vulnerability affects the following AI/ML architecture patterns: LLM fine-tuning pipelines, training infrastructure, model fine-tuning, WebUI-based training orchestration, RLHF training workflows.

What is the CVSS score for CVE-2025-53002?

CVE-2025-53002 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 4.22%.

Technical Details

NVD Description

LLaMA-Factory is a tuning library for large language models. A remote code execution vulnerability was discovered in LLaMA-Factory versions up to and including 0.9.3 during the LLaMA-Factory training process. This vulnerability arises because the `vhead_file` is loaded without proper safeguards, allowing malicious attackers to execute arbitrary malicious code on the host system simply by passing a malicious `Checkpoint path` parameter through the `WebUI` interface. The attack is stealthy, as the victim remains unaware of the exploitation. The root cause is that the `vhead_file` argument is loaded without the secure parameter `weights_only=True`. Version 0.9.4 contains a fix for the issue.

Exploitation Scenario

Attacker identifies an organization using LLaMA-Factory via GitHub stars, job postings, or LinkedIn tech stack disclosures. They craft a malicious PyTorch checkpoint file containing a pickle payload that spawns a reverse shell to attacker-controlled infrastructure. The attacker then accesses the LLaMA-Factory WebUI — either because it is internet-exposed, via a compromised developer workstation on the same network, or through social engineering (e.g., emailing a 'checkpoint' URL to an ML engineer). Entering the malicious path in the 'Checkpoint path' field triggers `torch.load()` without `weights_only=True`, deserializing and executing the payload. The attacker obtains a shell on a GPU training server with full access to training data, model weights in progress, cloud credentials in environment variables, and Hugging Face tokens — enabling model poisoning, data theft, or pivot to cloud infrastructure.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary CWE-502 CWE-94

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
June 26, 2025
Last Modified
September 2, 2025
First Seen
June 26, 2025

Related Vulnerabilities

CRITICAL CVE-2024-52803 9.8

LlamaFactory: RCE via OS command injection in training

Same package: llamafactory
HIGH CVE-2025-61784 8.1

LLaMA-Factory: SSRF+LFI in multimodal chat API

Same package: llamafactory
HIGH CVE-2025-46567 7.8

LLaMA-Factory: RCE via torch.load() unsafe deserialization

Same package: llamafactory
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Supply Chain
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Supply Chain
Back to Threat Feed