A critical security flaw has been disclosed in the llama_cpp_python Python package that could be exploited by risk actors to accomplish arbitrary code execution.
Tracked as CVE-2024-34359 (CVSS rating: 9.7), the flaw has been codenamed Llama Drama by program supply chain security firm Checkmarx.
“If exploited, it could enable attackers to execute arbitrary code on your system, compromising details and operations,” security researcher Male Nachshon claimed.
llama_cpp_python, a Python binding for the llama.cpp library, is a preferred bundle with around 3 million downloads to date, permitting developers to combine AI versions with Python.
Security researcher Patrick Peng (retr0reg) has been credited with exploring and reporting the flaw, which has been resolved in version .2.72.
The core issue stems from the misuse of the Jinja2 template motor within the llama_cpp_python offer, enabling for server-aspect template injection that prospects to distant code execution by signifies of a specifically crafted payload.
“The exploitation of this vulnerability can direct to unauthorized steps by attackers, including knowledge theft, system compromise, and disruption of functions,” Checkmarx claimed.
“The discovery of CVE-2024-34359 serves as a stark reminder of the vulnerabilities that can crop up at the confluence of AI and provide chain security. It highlights the want for vigilant security practices during the lifecycle of AI systems and their parts.”
Code Execution Flaw in PDF.js
The advancement follows the discovery of a substantial-severity flaw in Mozilla’s PDF.js JavaScript library (CVE-2024-4367) that could let the execution of arbitrary code.
“A type test was lacking when dealing with fonts in PDF.js, which would make it possible for arbitrary JavaScript execution in the PDF.js context,” Mozilla claimed in an advisory.
Codean Labs, which characterised the flaw as an “oversight in a unique component of the font rendering code,” stated it permits an attacker to execute JavaScript code as before long as a malware-laced PDF document is opened in the Firefox browser.
The issue has been addressed in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11 delivered previous week. It has also been fixed in the npm module pdfjs-dist version 4.2.67 unveiled on April 29, 2024.
“Most wrapper libraries like respond-pdf have also produced patched variations,” security researcher Thomas Rinsma explained. “For the reason that some higher amount PDF-similar libraries statically embed PDF.js, we advocate recursively examining your node_modules folder for files known as pdf.js to be absolutely sure.”
Uncovered this write-up attention-grabbing? Abide by us on Twitter and LinkedIn to browse extra special information we post.
Some parts of this article are sourced from:
thehackernews.com