Meta's Llama Framework Flaw Exposes AI Systems to Remote Code Execution Risks
Briefly

A security flaw in Meta's Llama framework, tracked as CVE-2024-50050, presents a critical risk with a CVSS score of 6.3. The vulnerability allows for arbitrary code execution due to deserialization of untrusted data. Particularly impacted is the Llama Stack component that handles API interfaces for AI development. Affected versions can be exploited through crafted malicious objects sent to an exposed ZeroMQ socket, allowing attackers to unpickle these objects. Meta has mitigated this issue in version 0.0.41, addressing the flawed use of pickle as a serialization format.
Affected versions of meta-llama are vulnerable to deserialization of untrusted data, meaning that an attacker can execute arbitrary code by sending malicious data that is deserialized.
In scenarios where the ZeroMQ socket is exposed over the network, attackers could exploit this vulnerability by sending crafted malicious objects to the socket.
Read at The Hacker News
[
|
]