Cyber Resilience

CVE-2025-53002

HighPublic PoCRCE

Published: 26 June 2025

Published
26 June 2025
Modified
02 September 2025
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H
EPSS Score 0.0422 89.0th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53002 is a high-severity Code Injection (CWE-94) vulnerability in Hiyouga Llama-Factory. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

LLaMA-Factory, a tuning library for large language models, is affected by a remote code execution vulnerability in all versions through 0.9.3. The flaw occurs during the training process when the vhead_file argument is deserialized without the weights_only=True safeguard, enabling unsafe loading of untrusted checkpoint data and triggering arbitrary code execution on the host.

An authenticated user who can reach the WebUI can exploit the issue by supplying a malicious Checkpoint path parameter. This action causes the application to load attacker-controlled code stealthily during training, granting the ability to execute arbitrary commands with the privileges of the training process while leaving the victim unaware of the activity.

The associated GitHub security advisory and the patch commit in version 0.9.4 state that the fix consists of enforcing the weights_only=True parameter when the vhead_file is loaded, thereby preventing deserialization of untrusted objects.

The EPSS score remains flat at 0.0422 with no material increase after disclosure.

EU & UK References

Vulnerability details

LLaMA-Factory is a tuning library for large language models. A remote code execution vulnerability was discovered in LLaMA-Factory versions up to and including 0.9.3 during the LLaMA-Factory training process. This vulnerability arises because the `vhead_file` is loaded without proper safeguards,…

more

allowing malicious attackers to execute arbitrary malicious code on the host system simply by passing a malicious `Checkpoint path` parameter through the `WebUI` interface. The attack is stealthy, as the victim remains unaware of the exploitation. The root cause is that the `vhead_file` argument is loaded without the secure parameter `weights_only=True`. Version 0.9.4 contains a fix for the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

The RCE vulnerability in LLaMA-Factory's WebUI enables exploitation of a public-facing application (T1190) through unsafe deserialization (torch.load without weights_only=True), allowing arbitrary Python code execution (T1059.006) by supplying a malicious remote checkpoint path.

Affected Assets

hiyouga
llama-factory
≤ 0.9.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-502 CWE-94

Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.

addresses: CWE-94 CWE-502

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

addresses: CWE-502

Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

addresses: CWE-502

Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.

addresses: CWE-502

Integrity verification of serialized information can detect tampering before deserialization occurs.

References