LLama Factory Remote OS Command Injection Vulnerability
Description
A critical OS command injection in LLaMA Factory ≤0.9.0 allows unauthenticated remote attackers to execute arbitrary commands via unsanitized user input in the training process.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A critical OS command injection in LLaMA Factory ≤0.9.0 allows unauthenticated remote attackers to execute arbitrary commands via unsanitized user input in the training process.
Root
Cause
LLaMA Factory versions 0.9.0 and earlier contain a critical remote OS command injection vulnerability in the training process. The root cause is the insecure use of Python's Popen function with shell=True combined with unsanitized user input. Specifically, the output_dir value, derived directly from user-provided data, is passed into a command string executed by Popen. This allows an attacker to inject arbitrary OS commands by crafting malicious input [1][4].
Attack
Vector
The vulnerability can be exploited remotely without authentication. The proof-of-concept script demonstrates sending a specially crafted request to the target server's web interface (typically running on port 7861). The attacker only needs network access to the LLaMA Factory instance and can inject commands via the training parameters [2][4].
Impact
Successful exploitation enables arbitrary OS command execution on the host system. An attacker can execute any command, potentially compromising sensitive data, escalating privileges, deploying malware, or creating persistent backdoors. This poses a significant risk of data breaches and operational disruption [3][4].
Mitigation
The vulnerability is fixed in LLaMA Factory version 0.9.1. Users are strongly advised to upgrade immediately. The fix involves sanitizing user input and avoiding the use of shell=True in the Popen call [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
llamafactoryPyPI | < 0.9.1 | 0.9.1 |
Affected products
2- hiyouga/LLaMA-Factoryv5Range: < 0.9.1
Patches
1b3aa80d54a67Merge commit from fork
1 file changed · +1 −1
src/llamafactory/webui/runner.py+1 −1 modified@@ -320,7 +320,7 @@ def _launch(self, data: Dict["Component", Any], do_train: bool) -> Generator[Dic if args.get("deepspeed", None) is not None: env["FORCE_TORCHRUN"] = "1" - self.trainer = Popen(f"llamafactory-cli train {save_cmd(args)}", env=env, shell=True) + self.trainer = Popen(["llamafactory-cli", "train", save_cmd(args)], env=env) yield from self.monitor() def _form_config_dict(self, data: Dict["Component", Any]) -> Dict[str, Any]:
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-hj3w-wrh4-44vpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-52803ghsaADVISORY
- gist.github.com/superboy-zjc/f2d2b93ae511c445ba97e144b70e534dghsax_refsource_MISCWEB
- github.com/hiyouga/LLaMA-Factory/commit/b3aa80d54a67da45e9e237e349486fb9c162b2acghsax_refsource_MISCWEB
- github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-hj3w-wrh4-44vpghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.