CVE-2025-53002
Published: 26 June 2025
Summary
CVE-2025-53002 is a high-severity Code Injection (CWE-94) vulnerability in Hiyouga Llama-Factory. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
LLaMA-Factory, a tuning library for large language models, is affected by a remote code execution vulnerability in all versions through 0.9.3. The flaw occurs during the training process when the vhead_file argument is deserialized without the weights_only=True safeguard, enabling unsafe loading of untrusted checkpoint data and triggering arbitrary code execution on the host.
An authenticated user who can reach the WebUI can exploit the issue by supplying a malicious Checkpoint path parameter. This action causes the application to load attacker-controlled code stealthily during training, granting the ability to execute arbitrary commands with the privileges of the training process while leaving the victim unaware of the activity.
The associated GitHub security advisory and the patch commit in version 0.9.4 state that the fix consists of enforcing the weights_only=True parameter when the vhead_file is loaded, thereby preventing deserialization of untrusted objects.
The EPSS score remains flat at 0.0422 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-19200
Vulnerability details
LLaMA-Factory is a tuning library for large language models. A remote code execution vulnerability was discovered in LLaMA-Factory versions up to and including 0.9.3 during the LLaMA-Factory training process. This vulnerability arises because the `vhead_file` is loaded without proper safeguards,…
more
allowing malicious attackers to execute arbitrary malicious code on the host system simply by passing a malicious `Checkpoint path` parameter through the `WebUI` interface. The attack is stealthy, as the victim remains unaware of the exploitation. The root cause is that the `vhead_file` argument is loaded without the secure parameter `weights_only=True`. Version 0.9.4 contains a fix for the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The RCE vulnerability in LLaMA-Factory's WebUI enables exploitation of a public-facing application (T1190) through unsafe deserialization (torch.load without weights_only=True), allowing arbitrary Python code execution (T1059.006) by supplying a malicious remote checkpoint path.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.
Validates inputs used in dynamic code generation to block injected directives.
Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.
Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Directly prevents execution of attacker-supplied code written into data memory regions.
Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.
Integrity verification of serialized information can detect tampering before deserialization occurs.