CVE-2026-31254

Name of the Vulnerable Software and Affected Versions flash-attention versions prior to commit e724e2588cbe754beb97cf7c011b5e7e34119e62

Description A code injection issue exists in the training script. The script registers the Python eval() function as a Hydra configuration resolver named eval, which allows configuration files to execute arbitrary Python code using the ${eval:...} syntax. An attacker can achieve arbitrary code execution by providing a malicious configuration file that is then processed by the training script.

Recommendations Update to a version beyond commit e724e2588cbe754beb97cf7c011b5e7e34119e62.