A critical security flaw has been disclosed in the llama_cpp_python Python bundle that could be exploited by threat actors to reach arbitrary code execution.
Tracked as CVE-2024-34359 (CVSS score: 9.7), the flaw has been codenamed Llama Drama by software program supply chain security agency Checkmarx.
“If exploited, it could enable attackers to execute arbitrary code on your technique, compromising data and operations,” security researcher Guy Nachshon claimed.
![Mullvad VPN Discount](https://thecybersecurity.news/data/2022/05/Mullvad-VPN-245x300.png)
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
llama_cpp_python, a Python binding for the llama.cpp library, is a well-known deal with about 3 million downloads to date, allowing builders to integrate AI designs with Python.
Security researcher Patrick Peng (retr0reg) has been credited with identifying and reporting the flaw, which has been tackled in version .2.72.
The main issue stems from the misuse of the Jinja2 template motor within just the llama_cpp_python package, enabling for server-side template injection that potential customers to remote code execution by means of a specially crafted payload.
“The exploitation of this vulnerability can lead to unauthorized actions by attackers, which include information theft, system compromise, and disruption of functions,” Checkmarx reported.
“The discovery of CVE-2024-34359 serves as a stark reminder of the vulnerabilities that can crop up at the confluence of AI and source chain security. It highlights the have to have for vigilant security procedures through the lifecycle of AI methods and their parts.”
Code Execution Flaw in PDF.js
The enhancement follows the discovery of a substantial-severity flaw in Mozilla’s PDF.js JavaScript library (CVE-2024-4367) that could enable the execution of arbitrary code.
“A kind check out was missing when handling fonts in PDF.js, which would enable arbitrary JavaScript execution in the PDF.js context,” Mozilla reported in an advisory.
Codean Labs, which characterised the flaw as an “oversight in a unique part of the font rendering code,” stated it permits an attacker to execute JavaScript code as quickly as a malware-laced PDF doc is opened in the Firefox browser.
The issue has been dealt with in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11 shipped very last week. It has also been solved in the npm module pdfjs-dist model 4.2.67 produced on April 29, 2024.
“Most wrapper libraries like react-pdf have also produced patched versions,” security researcher Thomas Rinsma mentioned. “Because some increased level PDF-connected libraries statically embed PDF.js, we suggest recursively examining your node_modules folder for documents termed pdf.js to be confident.”
Uncovered this post fascinating? Stick to us on Twitter and LinkedIn to read through much more special written content we publish.
Some components of this write-up are sourced from:
thehackernews.com