Critical Security Flaw Identified in Meta’s Llama Framework, Exposing AI Systems to Potential Remote Code Execution

January 26, 2025

A critical security flaw, designated as CVE-2024-50050, has been uncovered in Meta's Llama large language model (LLM) framework. If exploited, this vulnerability could let an attacker run arbitrary code on the llama-stack inference server. This flaw has been rated with a CVSS score of 6.3 out of 10. Snyk, a supply chain security company, has given it a more severe rating of 9.3.

Oligo Security researcher Avi Lumelsky highlighted that the affected versions of meta-llama are susceptible to the deserialization of untrusted data. This means an attacker could run arbitrary code by sending harmful data that is deserialized. The issue lies within a component known as Llama Stack, which provides a set of API interfaces for AI application development, including the use of Meta's own Llama models.

The problem specifically relates to a remote code execution flaw in the Python Inference API implementation. It was discovered that Python objects are automatically deserialized using pickle, a format considered risky due to the possibility of arbitrary code execution when untrusted or harmful data is loaded using the library. Lumelsky explains, 'In scenarios where the ZeroMQ socket is exposed over the network, attackers could exploit this vulnerability by sending crafted malicious objects to the socket.'

Following responsible disclosure on September 24, 2024, Meta addressed the issue on October 10 in version 0.0.41. It has also been fixed in pyzmq, a Python library that gives access to the ZeroMQ messaging library. Meta issued an advisory stating that it has resolved the remote code execution risk linked to using pickle as a serialization format for socket communication by switching to the JSON format.

This is not the first instance of such deserialization vulnerabilities being found in AI frameworks. In August 2024, Oligo detailed a 'shadow vulnerability' in TensorFlow's Keras framework, a bypass for CVE-2024-3660 (CVSS score: 9.8) that could lead to arbitrary code execution due to the use of the unsafe marshal module.

High-severity flaws in AI frameworks are not uncommon. Recently, security researcher Benjamin Flesch disclosed a serious flaw in OpenAI's ChatGPT crawler that could be exploited to initiate a distributed denial-of-service (DDoS) attack against arbitrary websites.

AI-powered coding assistants have also been found to 'recommend' hard-coding API keys and passwords, a risky suggestion that could mislead novice programmers into introducing security vulnerabilities in their projects.

The discovery of these vulnerabilities in LLM frameworks follows research into how these models could be manipulated to enhance the cyber attack lifecycle. 'The cyber threats posed by LLMs are not a revolution, but an evolution,' says Deep Instinct researcher Mark Vaitzman.

Recent research has also showcased a new method named ShadowGenes that can be utilized for identifying model genealogy, including its architecture, type, and family by leveraging its computational graph. This method builds on a previously disclosed attack technique known as ShadowLogic.

Latest News

• Urgent Call to Secure Systems Against Ongoing Attacks Exploiting Microsoft Outlook RCE Vulnerability
• Critical Authentication Bypass Vulnerability in SonicOS: Proof-of-Concept Revealed
• CISA Adds Apple's Flaw to Known Exploited Vulnerabilities Catalog
• Apple Patches First Actively Exploited Zero-Day Vulnerability of the Year
• Cisco Issues Warning Over ClamAV Bug with PoC Exploit