CVE-2025-53002 in LLaMA-Factory
Summary
by MITRE • 06/26/2025
LLaMA-Factory is a tuning library for large language models. A remote code execution vulnerability was discovered in LLaMA-Factory versions up to and including 0.9.3 during the LLaMA-Factory training process. This vulnerability arises because the `vhead_file` is loaded without proper safeguards, allowing malicious attackers to execute arbitrary malicious code on the host system simply by passing a malicious `Checkpoint path` parameter through the `WebUI` interface. The attack is stealthy, as the victim remains unaware of the exploitation. The root cause is that the `vhead_file` argument is loaded without the secure parameter `weights_only=True`. Version 0.9.4 contains a fix for the issue.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/02/2025
The vulnerability CVE-2025-53002 represents a critical remote code execution flaw in the LLaMA-Factory library, a popular tuning framework for large language models that has seen widespread adoption in machine learning research and development environments. This vulnerability specifically affects versions 0.9.3 and earlier, creating a significant security risk for organizations and researchers who rely on this tool for training and fine-tuning language models. The flaw manifests during the training process through the WebUI interface, where attackers can exploit a seemingly innocuous parameter to gain full system control. The vulnerability operates under the CWE-434 principle of insecure loading of code, where the system fails to properly validate and secure the loading of external components that could contain malicious payloads. This represents a sophisticated attack vector that aligns with ATT&CK technique T1059.001 for command and scripting interpreter, as the malicious code execution occurs through the standard model training workflow.
The technical root cause of this vulnerability stems from the improper handling of the `vhead_file` parameter within the LLaMA-Factory training pipeline. When users pass a malicious checkpoint path through the WebUI interface, the system loads the specified `vhead_file` without implementing the crucial `weights_only=True` security parameter that would prevent arbitrary code execution during model loading. This parameter serves as a critical safeguard that restricts the loading of only model weights and parameters while preventing the execution of any embedded malicious code or scripts contained within the checkpoint files. The absence of this security measure creates an attack surface where attackers can craft specially designed checkpoint files that contain malicious Python code or shell commands, which then execute with the privileges of the user running the LLaMA-Factory process. The stealth nature of this vulnerability means that victims remain completely unaware of the exploitation, as the malicious code executes silently in the background during the normal training workflow.
The operational impact of CVE-2025-53002 extends far beyond simple code execution, potentially compromising entire machine learning infrastructure and research environments. Organizations using LLaMA-Factory for model training face the risk of complete system compromise, data exfiltration, and unauthorized access to sensitive research data or proprietary models. The vulnerability affects not just individual researchers but entire institutional deployments where multiple users interact with the WebUI interface, creating a potential attack vector for lateral movement within network environments. The attack requires minimal sophistication from threat actors, as they only need to prepare a malicious checkpoint file and convince a target to load it through the interface, making it particularly dangerous in collaborative research settings where users frequently share model checkpoints. This vulnerability particularly impacts the security posture of AI research labs, universities, and enterprises that rely on LLaMA-Factory for their machine learning workflows, as it essentially allows attackers to gain persistent access to systems running these tools.
The fix implemented in version 0.9.4 addresses this vulnerability by properly enforcing the `weights_only=True` parameter during the loading of `vhead_file` components, effectively preventing the execution of malicious code embedded within checkpoint files. This remediation aligns with security best practices for loading machine learning models and follows the principle of least privilege by restricting what code can be executed during the model loading process. Organizations should immediately update to version 0.9.4 or later to protect against this vulnerability, while also implementing additional security measures such as input validation for checkpoint paths and network segmentation to limit the potential impact of any remaining risks. The vulnerability serves as a reminder of the critical importance of secure coding practices in machine learning frameworks, particularly when dealing with user-provided model checkpoints that may contain untrusted code. Security teams should also consider implementing monitoring for unusual checkpoint loading patterns and conducting regular vulnerability assessments of machine learning toolchains to identify similar security gaps in other components of their AI infrastructure.