LLaMA-Factory Remote Code Execution (RCE) Vulnerability
Description
A remote code execution vulnerability in LLaMA-Factory ≤0.9.3 allows attackers to run arbitrary code via a malicious checkpoint path in the WebUI due to unsafe torch.load() usage.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A remote code execution vulnerability in LLaMA-Factory ≤0.9.3 allows attackers to run arbitrary code via a malicious checkpoint path in the WebUI due to unsafe torch.load() usage.
Vulnerability
Description LLaMA-Factory, a library for fine-tuning large language models, contains a remote code execution (RCE) vulnerability in versions up to and including 0.9.3. The root cause is that the vhead_file argument is loaded using torch.load() without setting weights_only=True, which in PyTorch versions <2.6 defaults to False. This allows arbitrary code execution when loading a malicious PyTorch checkpoint file [2][3].
Exploitation
An attacker can exploit this vulnerability through the WebUI interface by providing a malicious Hugging Face repository path as the Checkpoint path parameter during the Reward Modeling training stage. The parameter is passed to the training process and used to load a value_head.bin file from the attacker's repository, which is a crafted PyTorch pickle file that executes arbitrary code upon loading [3]. No additional authentication is required beyond access to the WebUI.
Impact
Successful exploitation allows the attacker to execute arbitrary code on the host system running LLaMA-Factory. This can lead to full compromise of the training environment, data exfiltration, or further lateral movement. The attack is stealthy as the victim may not notice the malicious activity [2].
Mitigation
The vulnerability is fixed in LLaMA-Factory version 0.9.4, which adds weights_only=True to the torch.load() call [4]. Users are strongly advised to upgrade immediately. There is no known workaround for versions ≤0.9.3. The fix is included in commit bb7bf51 [4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
llamafactoryPyPI | <= 0.9.3 | — |
Affected products
2- hiyouga/LLaMA-Factoryv5Range: < 0.9.4
Patches
1bb7bf51554d4Merge commit from fork
2 files changed · +2 −2
src/llamafactory/model/model_utils/valuehead.py+1 −1 modified@@ -49,7 +49,7 @@ def load_valuehead_params(path_or_repo_id: str, model_args: "ModelArguments") -> try: vhead_file = cached_file(filename=V_HEAD_WEIGHTS_NAME, **kwargs) - return torch.load(vhead_file, map_location="cpu") + return torch.load(vhead_file, map_location="cpu", weights_only=True) except Exception as err: err_text = str(err)
src/llamafactory/train/callbacks.py+1 −1 modified@@ -76,7 +76,7 @@ def fix_valuehead_checkpoint( state_dict: dict[str, torch.Tensor] = {key: f.get_tensor(key) for key in f.keys()} else: path_to_checkpoint = os.path.join(output_dir, WEIGHTS_NAME) - state_dict: dict[str, torch.Tensor] = torch.load(path_to_checkpoint, map_location="cpu") + state_dict: dict[str, torch.Tensor] = torch.load(path_to_checkpoint, map_location="cpu", weights_only=True) os.remove(path_to_checkpoint) decoder_state_dict, v_head_state_dict = {}, {}
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-xj56-p8mm-qmxjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-53002ghsaADVISORY
- drive.google.com/file/d/1AddKm2mllsXfuvL4Tvbn_WJdjEOYXx4y/viewmitrex_refsource_MISC
- github.com/hiyouga/LLaMA-Factory/commit/bb7bf51554d4ba8432333c35a5e3b52705955edeghsax_refsource_MISCWEB
- github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-xj56-p8mm-qmxjghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.