CVE-2025-53002 is a high-severity remote code execution (RCE) vulnerability affecting hiyouga's LLaMA-Factory, a tuning library for large language models. The vulnerability exists in versions prior to 0.9.4 and stems from improper handling of the `vhead_file` parameter during the model training process. Specifically, the `vhead_file` is loaded without the secure parameter `weights_only=True`, allowing attackers to inject and execute arbitrary code on the host system. The attack vector involves passing a malicious `Checkpoint path` parameter through the WebUI interface, which is accessible remotely. Because the victim system loads the malicious payload without sufficient validation or sandboxing, the attacker can stealthily execute code without user interaction or alerting the victim. The vulnerability is categorized under CWE-94 (Improper Control of Generation of Code, i.e., code injection) and CWE-502 (Deserialization of Untrusted Data), highlighting the unsafe deserialization and code loading practices. The CVSS 3.1 base score is 8.3, reflecting a high severity due to network attack vector, low attack complexity, requiring only privileges of a user with some level of authorization (PR:L), no user interaction, and resulting in high confidentiality and availability impacts, with limited integrity impact. No known exploits are currently in the wild, but the vulnerability is critical for environments running vulnerable versions of LLaMA-Factory, especially those exposing the WebUI interface to untrusted networks or users. The vendor has addressed the issue in version 0.9.4 by enforcing secure loading of the `vhead_file` with the `weights_only=True` parameter, mitigating arbitrary code execution risks.

For European organizations utilizing LLaMA-Factory in AI research, development, or production environments, this vulnerability poses a significant risk. Successful exploitation can lead to remote code execution, allowing attackers to compromise confidentiality by accessing sensitive data, disrupt availability by executing destructive payloads or causing system crashes, and partially impact integrity by injecting malicious code. Given the stealthy nature of the attack, organizations may remain unaware of compromise, increasing the risk of persistent threats or lateral movement within networks. The impact is especially critical for sectors relying on AI models for sensitive applications such as finance, healthcare, or critical infrastructure. Additionally, organizations exposing the WebUI interface to external or less trusted internal networks face heightened risk. The vulnerability could be leveraged for espionage, sabotage, or ransomware deployment, amplifying potential operational and reputational damage. Compliance with European data protection regulations (e.g., GDPR) may also be jeopardized if personal data is accessed or disrupted due to exploitation.

European organizations should immediately upgrade all instances of LLaMA-Factory to version 0.9.4 or later, where the vulnerability is patched. Until upgrades are complete, restrict access to the WebUI interface by implementing network segmentation, firewall rules, and VPN access to limit exposure to trusted users only. Employ strict authentication and authorization controls on the WebUI to prevent unauthorized parameter injection. Conduct thorough code reviews and security testing on any custom integrations or extensions involving the `vhead_file` loading process. Monitor logs and network traffic for unusual activity related to the WebUI or model training processes, including unexpected checkpoint path parameters or code execution attempts. Implement endpoint detection and response (EDR) solutions capable of identifying suspicious process executions originating from the LLaMA-Factory environment. Educate development and operations teams about the risks of insecure deserialization and code injection, emphasizing secure coding practices such as validating and sanitizing all inputs and using secure loading parameters. Finally, maintain an incident response plan tailored to AI infrastructure compromises to enable rapid containment and remediation if exploitation is suspected.