CVE-2024-50050

Name of the Vulnerable Software and Affected Versions Llama Stack versions prior to revision 7a8aa775e5a267cf8660d83140011a0b7f91e005 Meta Llama Framework (affected versions not specified)

Description Llama Stack, prior to revision 7a8aa775e5a267cf8660d83140011a0b7f91e005, used Pickle as a serialization format for socket communication. This allowed for potential remote code execution. The communication method has been changed to use JSON instead. The issue is actively exploited and affects AI model hosting and system security. The vulnerability involves a flaw in the recv pyobj function, related to deserialization. The vulnerability allows attackers to execute arbitrary code on the server. The vulnerability is also present in other projects due to code reuse.

Recommendations Update Llama Stack to revision 7a8aa775e5a267cf8660d83140011a0b7f91e005 or later. At the moment, there is no information about a newer version that contains a fix for this vulnerability.