Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
LLaMA-Factory Allows Arbitrary Code Execution via Unsafe Deserialization in Ilamafy_baichuan2.py
Vulnerability Description
LLama Factory enables fine-tuning of large language models. Prior to version 1.0.0, a critical vulnerability exists in the `llamafy_baichuan2.py` script of the LLaMA-Factory project. The script performs insecure deserialization using `torch.load()` on user-supplied `.bin` files from an input directory. An attacker can exploit this behavior by crafting a malicious `.bin` file that executes arbitrary commands during deserialization. This issue has been patched in version 1.0.0.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
Vulnerability Type
可信数据的反序列化
Vulnerability Title
LLaMA-Factory 安全漏洞
Vulnerability Description
LLaMA-Factory是中国hoshi-hiyouga个人开发者的一个微调大型语言模型。 LLaMA-Factory 1.0.0之前版本存在安全漏洞,该漏洞源于llamafy_baichuan2.py脚本中对用户提供的.bin文件执行不安全的反序列化,可能导致执行任意代码。
CVSS Information
N/A
Vulnerability Type
N/A