LLaMA-Factory Allows Arbitrary Code Execution via Unsafe Deserialization in Ilamafy_baichuan2.py
Description
An insecure deserialization vulnerability via torch.load() in LLaMA-Factory's llamafy_baichuan2.py allows arbitrary command execution before version 1.0.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An insecure deserialization vulnerability via `torch.load()` in LLaMA-Factory's `llamafy_baichuan2.py` allows arbitrary command execution before version 1.0.0.
Vulnerability
Overview
A critical vulnerability (CVE-2025-46567) exists in the LLaMA-Factory project prior to version 1.0.0, specifically in the llamafy_baichuan2.py script. The script uses torch.load() to deserialize user-supplied .bin files from an input directory without proper validation, leading to insecure deserialization [1][2][3].
Exploitation
An attacker can craft a malicious .bin file that, when loaded by torch.load(), executes arbitrary commands during the deserialization process. The exploit is triggered without authentication or elevated privileges; a user only needs to run the conversion script with the attacker-controlled --input_dir argument, for example by downloading a malicious project folder or cloning a repository containing a crafted .bin file and a config.json [3]. A proof-of-concept demonstrates using a __reduce__ method to execute system commands like mkdir HACKED! [3].
Impact
Successful exploitation results in arbitrary code execution (RCE), which can lead to full system compromise. In shared compute environments, this could enable persistence or lateral movement [3]. The vulnerable line of code is at llamafy_baichuan2.py line 35, where torch.load() is called without additional security measures [4].
Mitigation
The vulnerability has been patched in version 1.0.0 of LLaMA-Factory. Users are strongly advised to update to the latest version. As a temporary workaround, avoid running the llamafy_baichuan2.py script on untrusted .bin files or input directories [1][2][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
llamafactoryPyPI | < 0.9.3 | 0.9.3 |
Affected products
2- hiyouga/LLaMA-Factoryv5Range: < 1.0.0
Patches
12989d39239d2Merge commit from fork
1 file changed · +1 −1
scripts/convert_ckpt/llamafy_baichuan2.py+1 −1 modified@@ -32,7 +32,7 @@ def save_weight(input_dir: str, output_dir: str, shard_size: str, save_safetenso baichuan2_state_dict: dict[str, torch.Tensor] = OrderedDict() for filepath in tqdm(os.listdir(input_dir), desc="Load weights"): if os.path.isfile(os.path.join(input_dir, filepath)) and filepath.endswith(".bin"): - shard_weight = torch.load(os.path.join(input_dir, filepath), map_location="cpu") + shard_weight = torch.load(os.path.join(input_dir, filepath), map_location="cpu", weights_only=True) baichuan2_state_dict.update(shard_weight) llama_state_dict: dict[str, torch.Tensor] = OrderedDict()
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-f2f7-gj54-6vpvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-46567ghsaADVISORY
- github.com/hiyouga/LLaMA-Factory/blob/main/scripts/convert_ckpt/llamafy_baichuan2.pyghsaWEB
- github.com/hiyouga/LLaMA-Factory/commit/2989d39239d2f46e584c1e1180ba46b9768afb2aghsax_refsource_MISCWEB
- github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-f2f7-gj54-6vpvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.