Researchers Uncover Flaws in Python Package for AI Models and PDF.js Used by Firefox
May 21, 2024
Supply Chain Security / AI Model
A critical security flaw has been disclosed in the llama_cpp_python Python package that could be exploited by threat actors to achieve arbitrary code execution. Tracked as CVE-2024-34359 (CVSS score: 9.7), the flaw has been codenamed Llama Drama by software supply chain security firm Checkmarx. "If exploited, it could allow attackers to execute arbitrary code on your system, compromising data and operations," security researcher Guy Nachshon said . llama_cpp_python, a Python binding for the llama.cpp library , is a popular package with over 3 million downloads to date, allowing developers to integrate AI models with Python. Security researcher Patrick Peng (retr0reg) has been credited with discovering and reporting the flaw, which has been addressed in version 0.2.72. The core issue stems from the misuse of the Jinja2 template engine within the llama_cpp_python package, allowing for server-side template injection that le...
