CVE-2024-52803 HIGH

CVE-2024-52803: LLama Factory Remote OS Command Injection Vulnerability

Vendor Hiyouga
Product LLaMA-Factory
Weakness CWE-79 · XSS
Published November 21, 2024
Last update November 21, 2024
View on NVD All CVEs

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

LLama Factory enables fine-tuning of large language models. A critical remote OS command injection vulnerability has been identified in the LLama Factory training process. This vulnerability arises from improper handling of user input, allowing malicious actors to execute arbitrary OS commands on the host system. The issue is caused by insecure usage of the `Popen` function with `shell=True`, coupled with unsanitized user input. Immediate remediation is required to mitigate the risk. This vulnerability is fixed in 0.9.1.

Key dates

02Disclosure timeline

November 21, 2024 CVE published
November 21, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-12982 PHPGurukul Blood Bank & Donor Management System update-contactinfo.php cross site scripting CVE-2025-7951 code-projects Public Chat Room send_message.php cross site scripting CVE-2025-9206 Meks Easy Maps <= 2.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2018-25073 Newcomer1989 TSN-Ranksystem bot.php getlog cross site scripting CVE-2026-32109 Copyparty has unexpected JavaScript execution via crafted URL to folder with `.prologue.html`