cbcvebase.

Hiyouga Llama-Factory vulnerabilities

4 known vulnerabilities affecting hiyouga/llama-factory.

Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH2

Vulnerabilities

Page 1 of 1
CVE-2024-52803P2CRITICALCVSS 9.8fixed in 0.9.12024-11-21
CVE-2024-52803 [CRITICAL] CWE-79 CVE-2024-52803: LLama Factory enables fine-tuning of large language models. A critical remote OS command injection v LLama Factory enables fine-tuning of large language models. A critical remote OS command injection vulnerability has been identified in the LLama Factory training process. This vulnerability arises from improper handling of user input, allowing malicious actors to execute arbitrary OS commands on the host system. The issue is caused by insecure usa
nvd
CVE-2025-53002P2CRITICALCVSS 9.8fixed in 0.9.42025-06-26
CVE-2025-53002 [CRITICAL] CWE-94 CVE-2025-53002: LLaMA-Factory is a tuning library for large language models. A remote code execution vulnerability w LLaMA-Factory is a tuning library for large language models. A remote code execution vulnerability was discovered in LLaMA-Factory versions up to and including 0.9.3 during the LLaMA-Factory training process. This vulnerability arises because the `vhead_file` is loaded without proper safeguards, allowing malicious attackers to execute arbitrary mal
nvd
CVE-2025-61784P3HIGHCVSS 8.1fixed in 0.9.42025-10-07
CVE-2025-61784 [HIGH] CWE-22 CVE-2025-61784: LLaMA-Factory is a tuning library for large language models. Prior to version 0.9.4, a Server-Side R LLaMA-Factory is a tuning library for large language models. Prior to version 0.9.4, a Server-Side Request Forgery (SSRF) vulnerability in the chat API allows any authenticated user to force the server to make arbitrary HTTP requests to internal and external networks. This can lead to the exposure of sensitive internal services, reconnaissance of the i
nvd
CVE-2025-46567P3HIGHCVSS 7.8fixed in 1.0.02025-05-01
CVE-2025-46567 [HIGH] CWE-502 CVE-2025-46567: LLama Factory enables fine-tuning of large language models. Prior to version 1.0.0, a critical vulne LLama Factory enables fine-tuning of large language models. Prior to version 1.0.0, a critical vulnerability exists in the `llamafy_baichuan2.py` script of the LLaMA-Factory project. The script performs insecure deserialization using `torch.load()` on user-supplied `.bin` files from an input directory. An attacker can exploit this behavior by crafting
nvd
Hiyouga Llama-Factory vulnerabilities | cvebase