{"data":{"id":"2327ce42-34a8-41cd-bbc2-2434a341a144","title":"CVE-2025-61784: LLaMA-Factory is a tuning library for large language models. Prior to version 0.9.4, a Server-Side Request Forgery (SSRF","summary":"LLaMA-Factory, a library for customizing large language models, has a vulnerability in versions before 0.9.4 that allows authenticated users to exploit SSRF (server-side request forgery, where the server is tricked into making requests to unintended destinations) and LFI (local file inclusion, where attackers can read files directly from the server) by providing malicious URLs to the chat API. The vulnerability exists because the code doesn't validate URLs before making HTTP requests, allowing attackers to access sensitive internal services or read arbitrary files from the server.","solution":"Update to version 0.9.4 or later, which fixes the underlying issue.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2025-61784","publishedAt":"2025-10-07T19:15:39.133Z","cveId":"CVE-2025-61784","cweIds":["CWE-22","CWE-918","CWE-918"],"cvssScore":"7.6","cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["LLaMA-Factory"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00043,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-126","CAPEC-664"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"framework","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}