AI Threat Alert

CVE-2025-53002: LLaMA-Factory: RCE via unsafe checkpoint deserialization

GHSA-xj56-p8mm-qmxj CRITICAL PoC AVAILABLE CISA: TRACK*
Published June 26, 2025
CISO Take

Any organization fine-tuning LLMs with LLaMA-Factory v0.9.3 or earlier is exposed to unauthenticated remote code execution on training infrastructure — no credentials or user interaction required. Upgrade to v0.9.4 immediately and restrict WebUI access to trusted networks only. Training hosts are high-value targets: compromise means full access to proprietary datasets, model weights, and adjacent infrastructure.

What is the risk?

Exceptionally high risk. CVSS 9.8 with network-accessible attack vector, zero authentication, and zero user interaction makes this trivially weaponizable. The attack surface is ML training infrastructure — environments that typically hold sensitive data, GPU clusters, and cloud credentials. EPSS of 1.6% is low but misleading given that the exploitation technique (pickle deserialization via a crafted checkpoint path in a WebUI) requires no specialized knowledge and working PoC exists publicly. Organizations running internal training platforms without network segmentation face imminent risk.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LLaMA Factory pip No patch
LLaMA Factory pip <= 0.9.3 No patch
72.3K 1 dependents Pushed 6d ago 75% patched ~167d to patch Full package profile →

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
1.0%
chance of exploitation in 30 days
Higher than 59% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. Patch immediately

    Upgrade LLaMA-Factory to v0.9.4 (adds weights_only=True to torch.load() calls).

  2. Network isolation

    Restrict WebUI (default port 7860) to localhost or VPN-only — never expose to the internet or untrusted networks.

  3. Checkpoint validation

    Audit all external checkpoint sources; only load weights from trusted, verified repositories.

  4. Detection

    Monitor training hosts for unexpected outbound connections (reverse shell indicators), unusual process spawning from Python processes, and access to the WebUI from unexpected IPs.

  5. Secrets audit

    Rotate any cloud credentials, API keys, or tokens stored on affected training hosts as a precaution.

  6. Container isolation

    Run training workloads in isolated containers with no host-network access to limit blast radius.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Model AML.T0010.001 AML.T0011.000 AML.T0018.002 AML.T0035 AML.T0049 AML.T0072

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.1.3 - AI risk treatment A.8.2 - AI system technical security
NIST AI RMF
GOVERN 6.1 - Policies and procedures for AI risk management are established MEASURE 2.5 - AI system vulnerabilities and impacts are identified
OWASP LLM Top 10
LLM03 - Supply Chain LLM04 - Data and Model Poisoning

Frequently Asked Questions

What is CVE-2025-53002?

Any organization fine-tuning LLMs with LLaMA-Factory v0.9.3 or earlier is exposed to unauthenticated remote code execution on training infrastructure — no credentials or user interaction required. Upgrade to v0.9.4 immediately and restrict WebUI access to trusted networks only. Training hosts are high-value targets: compromise means full access to proprietary datasets, model weights, and adjacent infrastructure.

Is CVE-2025-53002 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-53002, increasing the risk of exploitation.

How to fix CVE-2025-53002?

1. **Patch immediately**: Upgrade LLaMA-Factory to v0.9.4 (adds `weights_only=True` to `torch.load()` calls). 2. **Network isolation**: Restrict WebUI (default port 7860) to localhost or VPN-only — never expose to the internet or untrusted networks. 3. **Checkpoint validation**: Audit all external checkpoint sources; only load weights from trusted, verified repositories. 4. **Detection**: Monitor training hosts for unexpected outbound connections (reverse shell indicators), unusual process spawning from Python processes, and access to the WebUI from unexpected IPs. 5. **Secrets audit**: Rotate any cloud credentials, API keys, or tokens stored on affected training hosts as a precaution. 6. **Container isolation**: Run training workloads in isolated containers with no host-network access to limit blast radius.

What systems are affected by CVE-2025-53002?

This vulnerability affects the following AI/ML architecture patterns: LLM fine-tuning pipelines, training infrastructure, model fine-tuning, WebUI-based training orchestration, RLHF training workflows.

What is the CVSS score for CVE-2025-53002?

CVE-2025-53002 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.03%.

What is the AI security impact?

Affected AI Architectures

LLM fine-tuning pipelinestraining infrastructuremodel fine-tuningWebUI-based training orchestrationRLHF training workflows

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0011.000 Unsafe AI Artifacts
AML.T0018.002 Embed Malware
AML.T0035 AI Artifact Collection
AML.T0049 Exploit Public-Facing Application
AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: A.6.1.3, A.8.2
NIST AI RMF: GOVERN 6.1, MEASURE 2.5
OWASP LLM Top 10: LLM03, LLM04

What are the technical details?

Original Advisory

LLaMA-Factory is a tuning library for large language models. A remote code execution vulnerability was discovered in LLaMA-Factory versions up to and including 0.9.3 during the LLaMA-Factory training process. This vulnerability arises because the `vhead_file` is loaded without proper safeguards, allowing malicious attackers to execute arbitrary malicious code on the host system simply by passing a malicious `Checkpoint path` parameter through the `WebUI` interface. The attack is stealthy, as the victim remains unaware of the exploitation. The root cause is that the `vhead_file` argument is loaded without the secure parameter `weights_only=True`. Version 0.9.4 contains a fix for the issue.

Exploitation Scenario

Attacker identifies an organization using LLaMA-Factory via GitHub stars, job postings, or LinkedIn tech stack disclosures. They craft a malicious PyTorch checkpoint file containing a pickle payload that spawns a reverse shell to attacker-controlled infrastructure. The attacker then accesses the LLaMA-Factory WebUI — either because it is internet-exposed, via a compromised developer workstation on the same network, or through social engineering (e.g., emailing a 'checkpoint' URL to an ML engineer). Entering the malicious path in the 'Checkpoint path' field triggers `torch.load()` without `weights_only=True`, deserializing and executing the payload. The attacker obtains a shell on a GPU training server with full access to training data, model weights in progress, cloud credentials in environment variables, and Hugging Face tokens — enabling model poisoning, data theft, or pivot to cloud infrastructure.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary CWE-502 Deserialization of Untrusted Data CWE-94 Improper Control of Generation of Code ('Code Injection')

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

  • [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
  • [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
June 26, 2025
Last Modified
September 2, 2025
First Seen
June 26, 2025

Related Vulnerabilities

CRITICAL CVE-2024-52803 9.8

LlamaFactory: RCE via OS command injection in training

Same package: llamafactory
HIGH CVE-2025-61784 8.1

LLaMA-Factory: SSRF+LFI in multimodal chat API

Same package: llamafactory
HIGH CVE-2025-46567 7.8

LLaMA-Factory: RCE via torch.load() unsafe deserialization

Same package: llamafactory
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Supply Chain
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Supply Chain
Back to Threat Feed