Summary: The Oligo Research team has identified a critical vulnerability (CVE-2024-50050) in Meta’s Llama-Stack, affecting Generative AI applications. This flaw, stemming from unsafe usage of the pyzmq library, allows remote attackers to execute arbitrary code via deserialization vulnerabilities. Meta has released a patch urging users to upgrade to version 0.0.41 or higher to mitigate these risks.
Affected: Meta’s Llama-Stack
Keypoints :
- Vulnerability caused by the unsafe use of pyzmq’s recv_pyobj method, which uses insecure pickle.loads.
- Critical CVSS score of 9.3 indicates severe risks to system security and data integrity.
- Meta issued a patch replacing pickle serialization with a secure Pydantic JSON implementation following the vulnerability disclosure.
Source: https://securityonline.info/cve-2024-50050-critical-security-flaw-in-metas-llama-stack-framework/