{"data":{"id":"256e76b2-6993-498d-a02c-7eeeb3fbb97c","title":"CVE-2025-46567: LLama Factory enables fine-tuning of large language models. Prior to version 1.0.0, a critical vulnerability exists in t","summary":"CVE-2025-46567 is a critical vulnerability in LLaMA-Factory (a tool for fine-tuning large language models) that exists before version 1.0.0. The vulnerability is in the `llamafy_baichuan2.py` script, which unsafely loads user-supplied files using `torch.load()` (a function that deserializes, or reconstructs, Python objects from saved data), allowing attackers to execute arbitrary commands by crafting a malicious file.","solution":"This issue has been patched in version 1.0.0. Users should upgrade to version 1.0.0 or later. A patch is available at: https://github.com/hiyouga/LLaMA-Factory/commit/2989d39239d2f46e584c1e1180ba46b9768afb2a","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2025-46567","publishedAt":"2025-05-01T18:15:58.117Z","cveId":"CVE-2025-46567","cweIds":["CWE-502"],"cvssScore":"6.1","cvssSeverity":"medium","severity":"medium","attackType":["model_poisoning"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["LLaMA-Factory","Baichuan2"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00232,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-586"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","availability"],"aiComponentTargeted":"framework","llmSpecific":true,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}