CVE-2025-61784
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-07

Last updated on: 2025-10-22

Assigner: GitHub, Inc.

Description
LLaMA-Factory is a tuning library for large language models. Prior to version 0.9.4, a Server-Side Request Forgery (SSRF) vulnerability in the chat API allows any authenticated user to force the server to make arbitrary HTTP requests to internal and external networks. This can lead to the exposure of sensitive internal services, reconnaissance of the internal network, or interaction with third-party services. The same mechanism also allows for a Local File Inclusion (LFI) vulnerability, enabling users to read arbitrary files from the server's filesystem. The vulnerability exists in the `_process_request` function within `src/llamafactory/api/chat.py.` This function is responsible for processing incoming multimodal content, including images, videos, and audio provided via URLs. The function checks if the provided URL is a base64 data URI or a local file path (`os.path.isfile`). If neither is true, it falls back to treating the URL as a web URI and makes a direct HTTP GET request using `requests.get(url, stream=True).raw` without any validation or sanitization of the URL. Version 0.9.4 fixes the underlying issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-07
Last Modified
2025-10-22
Generated
2026-05-07
AI Q&A
2025-10-07
EPSS Evaluated
2026-05-05
NVD
CVE-2025-61784
EUVD
EUVD-2025-31881
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hiyouga llama-factory to 0.9.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in LLaMA-Factory versions prior to 0.9.4 is a Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI) issue in the chat API. Authenticated users can exploit the _process_request function to make the server perform arbitrary HTTP requests to internal or external networks without validation, potentially exposing sensitive internal services or interacting with third-party services. Additionally, users can read arbitrary files from the server's filesystem via the LFI aspect. The issue arises because the function treats URLs as web URIs and makes HTTP GET requests without sanitizing or validating them.


How can this vulnerability impact me? :

This vulnerability can lead to exposure of sensitive internal services, unauthorized reconnaissance of internal networks, and interaction with third-party services, potentially resulting in data leakage or further attacks. The Local File Inclusion aspect allows attackers to read arbitrary files on the server, which could include sensitive configuration files or credentials. Overall, it can compromise confidentiality, integrity, and availability of the affected system.


What immediate steps should I take to mitigate this vulnerability?

Upgrade LLaMA-Factory to version 0.9.4 or later, as this version fixes the SSRF and LFI vulnerabilities. Additionally, restrict authenticated user access to the chat API until the upgrade is applied to prevent exploitation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart