CVE-2024-52803

Name of the Vulnerable Software and Affected Versions LLama Factory versions <=0.9.0

Description A critical remote OS command injection vulnerability has been identified in the LLama Factory training process. This issue arises from improper handling of user input, allowing malicious actors to execute arbitrary OS commands on the host system. The problem is caused by insecure usage of the Popen function with shell=True, coupled with unsanitized user input. This vulnerability enables attackers to execute arbitrary OS commands on the server, potentially compromise sensitive data or escalate privileges, and deploy malware or create persistent backdoors in the system, significantly increasing the risk of data breaches and operational disruption.

Recommendations For versions <=0.9.0, avoid using shell=True in Popen. Instead, pass the command and its arguments as a list to prevent user inputs from being executed as part of a shell command. Update to version 0.9.1, which includes the fix for this vulnerability. As a temporary workaround, consider restricting the usage of the Popen function with shell=True until the update can be applied.