### Key Information #### Vulnerability Overview - **Vulnerability Type**: Remote Code Execution (RCE) - **Affected Versions**: <=0.9.3 - **Fixed Version**: 0.9.4 - **Severity**: High (CVSS v3.1: 8.3/10) #### Vulnerability Description - **Cause**: The `vhead_file` is loaded without proper security safeguards, allowing attackers to pass malicious Checkpoint path parameters via the WebUI interface to execute arbitrary malicious code. - **Impact**: The attack is stealthy, exploiting victims without their knowledge. #### Affected Versions - LLaMA Factory versions <=0.9.3 are affected by this vulnerability. #### Details 1. In LLaMA Factory's WebUI, when a user sets the Checkpoint path, it modifies the `adapter_name_or_path` parameter passed to the training process. 2. The `adapter_name_or_path` parameter is then used in the `valuehead.py` file to retrieve the corresponding `value_head.bin` file. This file is loaded using `torch.load()` without setting the security parameter `weights_only=True`, leading to Remote Code Execution. #### PoC - **Steps**: 1. Deploy LLaMA Factory. 2. Launch a remote attack via the WebUI interface. 3. Correctly configure Model name and Model path. 4. Set Finetuning method to LoRA and Train Stage to Reward Modeling. 5. Input a malicious Hugging Face path. 6. Click "Start Training". #### Impact - Allows remote attackers to execute arbitrary malicious code or OS commands. - May compromise sensitive data or escalate privileges. - Enables deployment of malware or creation of persistent backdoors.