Summary: A critical security vulnerability has been identified in Meta’s Llama large language model framework, allowing potential remote code execution through deserialization of untrusted data. This flaw, tracked as CVE-2024-50050, has a CVSS score of 6.3, but Snyk rated it as critical with a score of 9.3. The issue has been addressed by Meta, which switched the serialization format from pickle to JSON to mitigate the risk.
Threat Actor: Unknown | Unknown
Victim: Meta | Meta
Keypoints :
- A vulnerability in the Llama Stack allows attackers to execute arbitrary code by sending malicious data.
- The flaw was discovered in the Python Inference API implementation, which improperly deserializes Python objects.
- Meta has patched the vulnerability by changing the serialization format used in socket communication.
Source: https://thehackernews.com/2025/01/metas-llama-framework-flaw-exposes-ai.html