CVE-2025-46567 is a medium-severity vulnerability classified under CWE-502 (Deserialization of Untrusted Data) affecting versions of the hiyouga LLaMA-Factory product prior to 1.0.0. LLaMA-Factory is a tool designed to enable fine-tuning of large language models, a critical function in AI development workflows. The vulnerability resides specifically in the `llamafy_baichuan2.py` script, which insecurely deserializes user-supplied `.bin` files using the PyTorch `torch.load()` function. This function is known to be unsafe when loading data from untrusted sources because it can execute arbitrary code during the deserialization process. An attacker who can supply a crafted `.bin` file to the input directory processed by this script can trigger arbitrary command execution on the host system. This can lead to a compromise of confidentiality, integrity, and availability of the affected system. The vulnerability requires local access with limited privileges (PR:L), and user interaction (UI:R) to supply the malicious file. The attack vector is local (AV:L), meaning remote exploitation is not straightforward without prior access. The vulnerability has been patched in version 1.0.0 of LLaMA-Factory, and no known exploits are currently reported in the wild. The CVSS 3.1 base score is 6.1, reflecting medium severity, with high impact on confidentiality, low impact on integrity, and low impact on availability. The scope remains unchanged (S:U).

For European organizations utilizing LLaMA-Factory versions prior to 1.0.0, this vulnerability poses a significant risk, especially in AI research, development, and deployment environments. Successful exploitation could allow attackers to execute arbitrary code, potentially leading to data theft, unauthorized access to sensitive AI model parameters, or disruption of AI training pipelines. This could undermine intellectual property protection, compromise AI model integrity, and cause operational downtime. Given the increasing adoption of AI technologies in sectors such as finance, healthcare, automotive, and government within Europe, the impact could extend to critical infrastructure and sensitive data environments. The requirement for local access and user interaction somewhat limits the attack surface; however, insider threats or compromised internal systems could facilitate exploitation. Additionally, organizations relying on automated or semi-automated AI model fine-tuning workflows that ingest external `.bin` files are at higher risk. The vulnerability could also be leveraged as a foothold for lateral movement within networks, escalating the overall threat landscape for affected entities.

Upgrade LLaMA-Factory to version 1.0.0 or later, where the insecure deserialization vulnerability has been patched. Implement strict input validation and sanitization for all `.bin` files before processing, including verifying file provenance and integrity using cryptographic signatures or checksums. Restrict access to directories where `.bin` files are placed to trusted users and processes only, minimizing the risk of malicious file injection. Run the LLaMA-Factory fine-tuning processes within isolated environments such as containers or sandboxes with minimal privileges to limit the impact of potential code execution. Monitor file system activity and process execution logs for unusual behavior related to `.bin` file handling and deserialization operations. Educate internal users and developers about the risks of deserializing untrusted data and enforce policies that prevent the use of unverified input files in AI workflows. Consider implementing application-level allowlisting for deserialization operations or replacing `torch.load()` with safer alternatives that do not execute arbitrary code during deserialization.