CVE-2024-34359

llama-cpp-python vulnerable to Remote Code Execution by Server-Side Template Injection in Model Metadata

Severity Score

9.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

llama-cpp-python is the Python bindings for llama.cpp. `llama-cpp-python` depends on class `Llama` in `llama.py` to load `.gguf` llama.cpp or Latency Machine Learning Models. The `__init__` constructor built in the `Llama` takes several parameters to configure the loading and running of the model. Other than `NUMA, LoRa settings`, `loading tokenizers,` and `hardware settings`, `__init__` also loads the `chat template` from targeted `.gguf` 's Metadata and furtherly parses it to `llama_chat_format.Jinja2ChatFormatter.to_chat_handler()` to construct the `self.chat_handler` for this model. Nevertheless, `Jinja2ChatFormatter` parse the `chat template` within the Metadate with sandbox-less `jinja2.Environment`, which is furthermore rendered in `__call__` to construct the `prompt` of interaction. This allows `jinja2` Server Side Template Injection which leads to remote code execution by a carefully constructed payload.

llama-cpp-python son los enlaces de Python para llama.cpp. `llama-cpp-python` depende de la clase `Llama` en `llama.py` para cargar `.gguf` llama.cpp o modelos de aprendizaje automático de latencia. El constructor `__init__` integrado en `Llama` toma varios parámetros para configurar la carga y ejecución del modelo. Además de `NUMA, configuración de LoRa`, `carga de tokenizadores` y `configuración de hardware`, `__init__` también carga la `plantilla de chat` desde los metadatos `.gguf` específicos y además la analiza en `llama_chat_format.Jinja2ChatFormatter.to_chat_handler ()` para construir el `self.chat_handler` para este modelo. Sin embargo, `Jinja2ChatFormatter` analiza la `plantilla de chat` dentro del Metadate con `jinja2.Environment` sin zona de pruebas, que además se representa en `__call__` para construir el `mensaje` de interacción. Esto permite la inyección de plantilla del lado del servidor `jinja2`, lo que conduce a la ejecución remota de código mediante un payload cuidadosamente construida.

*Credits: N/A

CVSS Scores

GitHubv3.1 9.6

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-05-02 CVE Reserved
2024-05-10 CVE Published
2024-05-11 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-76: Improper Neutralization of Equivalent Special Elements

CAPEC

References (2)

URL	Tag	Source
https://github.com/abetlen/llama-cpp-python/commit/b454f40a9a1787b2b5659cd2cb00819d983185df	X_refsource_misc
https://github.com/abetlen/llama-cpp-python/security/advisories/GHSA-56xg-wfcc-g829	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Abetlen Search vendor "Abetlen"		Llama-cpp-python Search vendor "Abetlen" for product "Llama-cpp-python"				>= 0.2.30 <= 0.2.71 Search vendor "Abetlen" for product "Llama-cpp-python" and version " >= 0.2.30 <= 0.2.71"		en		Affected