AI Threat Alert

CVE-2025-61784: LLaMA-Factory: SSRF+LFI in multimodal chat API

GHSA-527m-2xhr-j27g HIGH PoC AVAILABLE CISA: TRACK*
Published October 7, 2025
CISO Take

Any authenticated user of LLaMA-Factory ≤0.9.3 can pivot into your internal network or read arbitrary server files via crafted image/video/audio URLs in the chat API — no special skills required. If your team uses this library for LLM fine-tuning (especially in shared environments or with external collaborators), patch to 0.9.4 immediately or disable multimodal URL inputs at the network layer. Low EPSS now does not mean safe: this is trivially exploitable once an attacker has any valid account.

What is the risk?

Effective risk is higher than CVSS 8.1 suggests in AI/ML contexts. The attack requires only a low-privileged authenticated account — common in collaborative fine-tuning environments where multiple researchers, contractors, or automated pipelines share access. SSRF in cloud-hosted training infrastructure exposes cloud metadata endpoints (IMDSv1/v2), internal databases, model registries, and secret stores. LFI compounds this: an attacker can chain LFI to exfiltrate model weights, training data paths, API keys in .env files, SSH private keys, and Hugging Face tokens typically present on fine-tuning servers. EPSS is low because the CVE is recent, not because the vector is complex.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LLaMA Factory pip No patch
LLaMA Factory pip <= 0.9.3 0.9.4
72.3K 1 dependents Pushed 6d ago 75% patched ~167d to patch Full package profile →

How severe is it?

CVSS 3.1
8.1 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 26% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A None

What should I do?

5 steps

  1. PATCH

    Upgrade llamafactory (pip) to >=0.9.4 immediately — this is the only complete fix.

  2. WORKAROUND (if patching is blocked): Implement egress firewall rules on the training server to block SSRF targets: deny access to 169.254.169.254 (AWS IMDS), 100.100.100.200 (Alibaba IMDS), internal RFC-1918 ranges, and localhost from the LLaMA-Factory process.

  3. RESTRICT

    Disable or require admin-only access to the multimodal chat API endpoint if image/video/audio URL inputs are not needed for your workflow.

  4. DETECT

    Audit logs for outbound HTTP requests from the LLaMA-Factory process to internal IPs or IMDS addresses. Look for requests to /etc/passwd, ~/.ssh, .env, or *token* paths in access logs.

  5. ROTATE

    If the server has been externally accessible with LLaMA-Factory running, assume credentials stored on disk may be compromised — rotate API keys, Hugging Face tokens, cloud IAM credentials, and SSH keys.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Privacy Violation Code Execution Framework API Training Data AML.T0006 AML.T0025 AML.T0035 AML.T0037 AML.T0049 AML.T0055

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
6.1.2 - AI risk assessment 8.4 - AI system technical security
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain risk management MAP 5.1 - Likelihood and impact of risks identified in mapping
OWASP LLM Top 10
LLM06:2023 - Sensitive Information Disclosure LLM07:2023 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2025-61784?

Any authenticated user of LLaMA-Factory ≤0.9.3 can pivot into your internal network or read arbitrary server files via crafted image/video/audio URLs in the chat API — no special skills required. If your team uses this library for LLM fine-tuning (especially in shared environments or with external collaborators), patch to 0.9.4 immediately or disable multimodal URL inputs at the network layer. Low EPSS now does not mean safe: this is trivially exploitable once an attacker has any valid account.

Is CVE-2025-61784 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-61784, increasing the risk of exploitation.

How to fix CVE-2025-61784?

1. PATCH: Upgrade llamafactory (pip) to >=0.9.4 immediately — this is the only complete fix. 2. WORKAROUND (if patching is blocked): Implement egress firewall rules on the training server to block SSRF targets: deny access to 169.254.169.254 (AWS IMDS), 100.100.100.200 (Alibaba IMDS), internal RFC-1918 ranges, and localhost from the LLaMA-Factory process. 3. RESTRICT: Disable or require admin-only access to the multimodal chat API endpoint if image/video/audio URL inputs are not needed for your workflow. 4. DETECT: Audit logs for outbound HTTP requests from the LLaMA-Factory process to internal IPs or IMDS addresses. Look for requests to /etc/passwd, ~/.ssh, .env, or *token* paths in access logs. 5. ROTATE: If the server has been externally accessible with LLaMA-Factory running, assume credentials stored on disk may be compromised — rotate API keys, Hugging Face tokens, cloud IAM credentials, and SSH keys.

What systems are affected by CVE-2025-61784?

This vulnerability affects the following AI/ML architecture patterns: LLM fine-tuning pipelines, model serving, MLOps platforms, training pipelines, multi-user ML research environments.

What is the CVSS score for CVE-2025-61784?

CVE-2025-61784 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.34%.

What is the AI security impact?

Affected AI Architectures

LLM fine-tuning pipelinesmodel servingMLOps platformstraining pipelinesmulti-user ML research environments

MITRE ATLAS Techniques

AML.T0006 Active Scanning
AML.T0025 Exfiltration via Cyber Means
AML.T0035 AI Artifact Collection
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: 6.1.2, 8.4
NIST AI RMF: MANAGE 2.2, MAP 5.1
OWASP LLM Top 10: LLM06:2023, LLM07:2023

What are the technical details?

Original Advisory

LLaMA-Factory is a tuning library for large language models. Prior to version 0.9.4, a Server-Side Request Forgery (SSRF) vulnerability in the chat API allows any authenticated user to force the server to make arbitrary HTTP requests to internal and external networks. This can lead to the exposure of sensitive internal services, reconnaissance of the internal network, or interaction with third-party services. The same mechanism also allows for a Local File Inclusion (LFI) vulnerability, enabling users to read arbitrary files from the server's filesystem. The vulnerability exists in the `_process_request` function within `src/llamafactory/api/chat.py.` This function is responsible for processing incoming multimodal content, including images, videos, and audio provided via URLs. The function checks if the provided URL is a base64 data URI or a local file path (`os.path.isfile`). If neither is true, it falls back to treating the URL as a web URI and makes a direct HTTP GET request using `requests.get(url, stream=True).raw` without any validation or sanitization of the URL. Version 0.9.4 fixes the underlying issue.

Exploitation Scenario

A red teamer (or malicious insider) with a valid LLaMA-Factory account crafts a multimodal chat request containing an image URL set to 'http://169.254.169.254/latest/meta-data/iam/security-credentials/'. The `_process_request` function, finding no base64 header and no local file match, fetches the URL via `requests.get()` and returns the content — leaking the EC2 instance's IAM role credentials in the response. With these credentials, the attacker assumes the IAM role, accesses S3 buckets containing training datasets and model checkpoints, and potentially pivots to other AWS services. Separately, they also submit a request with a 'file path' URL triggering the `os.path.isfile` branch, reading `/root/.ssh/id_rsa` or `/opt/llamafactory/.env` to harvest SSH keys and API tokens for further access.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-918 Server-Side Request Forgery (SSRF) Primary CWE-918 Server-Side Request Forgery (SSRF) Primary CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-918 Server-Side Request Forgery (SSRF)

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References

Timeline

Published
October 7, 2025
Last Modified
March 19, 2026
First Seen
October 7, 2025

Related Vulnerabilities

CRITICAL CVE-2024-52803 9.8

LlamaFactory: RCE via OS command injection in training

Same package: llamafactory
CRITICAL CVE-2025-53002 9.8

LLaMA-Factory: RCE via unsafe checkpoint deserialization

Same package: llamafactory
HIGH CVE-2025-46567 7.8

LLaMA-Factory: RCE via torch.load() unsafe deserialization

Same package: llamafactory
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Code Execution
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
Back to Threat Feed