CVE-2025-46567 – LLaMA Factory Deserialization Command Execution Vulnerability

May 1, 2025

CVE ID : CVE-2025-46567

Published : May 1, 2025, 6:15 p.m. | 1 hour, 11 minutes ago

Description : LLama Factory enables fine-tuning of large language models. Prior to version 1.0.0, a critical vulnerability exists in the `llamafy_baichuan2.py` script of the LLaMA-Factory project. The script performs insecure deserialization using `torch.load()` on user-supplied `.bin` files from an input directory. An attacker can exploit this behavior by crafting a malicious `.bin` file that executes arbitrary commands during deserialization. This issue has been patched in version 1.0.0.

Severity: 6.1 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Source: Read More

Previous ArticleCVE-2025-46568 – Stirling-PDF SSRF-Induced Arbitrary File Read Vulnerability

Next Article CVE-2025-46566 – DataEase Remote Code Execution Vulnerability

Upwork Freelancers vs Dedicated React.js Teams: What’s Better for Your Project in 2025?

Is Agile dead in the age of AI?

Top 15 Enterprise Use Cases That Justify Hiring Node.js Developers in 2025

The Core Model: Start FROM The Answer, Not WITH The Solution

Finally, a sleek gaming laptop I can take to the office (without sacrificing power)

These jobs face the highest risk of AI takeover, according to Microsoft

Apple’s tariff costs and iPhone sales are soaring – how long until device prices are too?

5 ways to successfully integrate AI agents into your workplace

Enhancing Laravel Queries with Reusable Scope Patterns

Enhancing Laravel Queries with Reusable Scope Patterns

Everything We Know About Livewire 4

Everything We Know About Livewire 4

YouTube wants to use AI to treat “teens as teens and adults as adults” — with the most age-appropriate experiences and protections

YouTube wants to use AI to treat “teens as teens and adults as adults” — with the most age-appropriate experiences and protections

Sam Altman is afraid of OpenAI’s GPT-5 creation — “The Manhattan Project feels very fast, like there are no adults in the room”

9 new features that arrived on the Windows 11 Insider Program during the second half of July 2025

CVE-2025-46567 – LLaMA Factory Deserialization Command Execution Vulnerability

This month in security with Tony Anscombe – July 2025 edition

WordPress AI Engine Plugin Bug Allows Remote Code Execution – Update Now

Rogue WordPress Plugin Unmasked: Stealthy Malware Skims Credit Cards & Steals Credentials

First signs of dedicated Xbox interface for Windows 11 PCs spotted in latest preview

The Ultimate Guide to AI Dev Tools in 2025

T* and LV-Haystack: A Spatially-Guided Temporal Search Framework for Efficient Long-Form Video Understanding

CVE-2025-49809 – MTR Sudo Execution Hijacking Vulnerability

CVE-2025-5671 – TOTOLINK N302R Plus HTTP POST Request Handler Buffer Overflow Vulnerability

Your Google Pixel just got a big Android 15 update – including a critical security fix

Avoiding Metadata Contention in Unity Catalog

CVE-2025-46567 – LLaMA Factory Deserialization Command Execution Vulnerability

Related Posts