Critical Security Flaw Discovered in Meta’s Llama-Stack Framework

Summary: The Oligo Research team has identified a critical vulnerability (CVE-2024-50050) in Meta’s Llama-Stack, affecting Generative AI applications. This flaw, stemming from unsafe usage of the pyzmq library, allows remote attackers to execute arbitrary code via deserialization vulnerabilities. Meta has released a patch urging users to upgrade to version 0.0.41 or higher to mitigate these risks.

Affected: Meta’s Llama-Stack

Keypoints :

  • Vulnerability caused by the unsafe use of pyzmq’s recv_pyobj method, which uses insecure pickle.loads.
  • Critical CVSS score of 9.3 indicates severe risks to system security and data integrity.
  • Meta issued a patch replacing pickle serialization with a secure Pydantic JSON implementation following the vulnerability disclosure.

Source: https://securityonline.info/cve-2024-50050-critical-security-flaw-in-metas-llama-stack-framework/