AI frameworks, including Meta’s Llama, are prone to automatic Python deserialization by pickle that could lead to remote code execution. Credit: Skorzewiak / Shutterstock Meta’s large language model (LLM) framework, Llama, suffers a typical open-source coding oversight, potentially allowing arbitrary code execution on servers leading to resource theft, data breaches, and AI model takeover. The flaw, tracked as CVE-2024-50050, is a critical deserialization bug belonging to a class of vulnerabilities arising from the improper use of the open-source library (pyzmq) in AI frameworks. “The Oligo research team has discovered a critical vulnerability in meta-llama, an open-source framework from Meta for building and deploying Gen AI applications,” said Oligo’s security researchers in a blog post. “The vulnerability, CVE-2024-50050 enables attackers to execute arbitrary code on the llama-stack inference server from the network.” Following Oligo’s report on the flaw, Meta’s security team promptly patched Llama Stack, by switching the serialization format for socket communication from pickle to JSON. A typical AI-framework flaw According to Oligo’s research, a number of open-source AI frameworks leverage an open-source messaging library (pyzmq) in an “unsafe way”, allowing remote code execution. The problem stems from Llama Stack using pickle, a Python module for serialization and deserialization of Python objects, within its “inference API” implementation, a functionality Llama has for organizations to bring their own ML models into the application pipeline. Pickle, which automatically deserializes Python objects, is inherently capable of executing arbitrary codes while deserializing untrusted data (crafted) sent by attackers, particularly with exposed pyzmq (a Python binding for ZeroMQ) implementation. “In scenarios where the ZeroMQ socket is exposed over the network, attackers could exploit this vulnerability by sending crafted malicious objects to the socket,” the researchers said, adding that unpickling these objects could allow attackers to “achieve arbitrary code execution (RCE) on the host machine.” Meta likely understated the criticality Oligo reported the vulnerability to Meta on 29 September 2024, which then acknowledged it and released a fix on GitHub on 10th Oct 2024, with a patched version 0.0.41 pushed to PyPi. Meta, on 24th October 2024, then issued CVE-2024-50050 with a CVSS score of 6.3 (medium severity). Oligo, however, pointed out that the nature of the vulnerability warrants a much higher score. Snyk, a software supply chain security firm, assigned the vulnerability a critical CVSS score of 9.3 under version 4.0 and 9.8 under version 3.1. Meta did not respond to queries about clarity on the flaw’s severity rating till the publishing of this article. The vulnerability is presently pending analysis by the National Vulnerability Database (NVD), a comprehensive repository of publicly disclosed vulnerabilities, managed by the US National Institute of Standards and Technology (NIST). SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe