CVE-2025-46567 LLaMA-Factory Allows Arbitrary Code Execution via Unsafe Deserialization in...

CVE-2025-46567 LLaMA-Factory Allows Arbitrary Code Execution via Unsafe Deserialization in Ilamafy_baichuan2.py

May 2, 2025 invoker category_cve

Vulnerability Details

Basic Information

Title	CVE-2025-46567 LLaMA-Factory Allows Arbitrary Code Execution via Unsafe Deserialization in Ilamafy_baichuan2.py
Type	cve
Published	2025-05-01T17:20:41
Last Seen	2025-05-01T17:47:16
CVSS Score	6.1 (MEDIUM)

CVSS v3 Details

Attack Vector	LOCAL
Attack Complexity	LOW
Privileges Required	LOW
User Interaction	REQUIRED
Scope	UNCHANGED
Confidentiality Impact	HIGH
Integrity Impact	LOW
Availability Impact	LOW

CVE Information

CVE IDs	CVE-2025-46567
CWE	CWE-502
Bulletin Family	cve

Description

LLama Factory enables fine-tuning of large language models. Prior to version 1.0.0, a critical vulnerability exists in the llamafy_baichuan2.py script of the LLaMA-Factory project. The script performs insecure deserialization using…

Impact Assessment

Base Score	6.1
Severity	MEDIUM

View full CVE details