CVE-2024-34359: llama-cpp-python is the Python bindings for llama.cpp. `llama-cpp-python` depends on class `Llama` in `llama.py` to load
criticalvulnerabilityLLM-Specific
security
Summary
llama-cpp-python (Python bindings for llama.cpp, a tool for running AI models locally) has a vulnerability where it loads chat templates from model files without proper security checks. When these templates are processed using Jinja2 (a templating engine), an attacker can inject malicious code through a specially crafted model file, leading to remote code execution (the ability to run arbitrary commands on the victim's computer).
Vulnerability Details
CVSS Score
9.6(critical)
EPSS (30-day exploit probability)
EPSS: 59.2%
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Taxonomy References
CWE (Weakness Type)
Affected Vendors
HuggingFace
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-34359
First tracked: February 15, 2026 at 08:53 PM
Classified by LLM (prompt v3) · confidence: 95%