How severe is CVE-2025-46567?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.1 out of 10.

What type of vulnerability is CVE-2025-46567?

This is classified as CWE-502, which is a common weakness in software security.

CVE-2025-46567 - MEDIUM Severity | CVSS 6.1

Vulnerability Description

LLama Factory enables fine-tuning of large language models. Prior to version 1.0.0, a critical vulnerability exists in the `llamafy_baichuan2.py` script of the LLaMA-Factory project. The script performs insecure deserialization using `torch.load()` on user-supplied `.bin` files from an input directory. An attacker can exploit this behavior by crafting a malicious `.bin` file that executes arbitrary commands during deserialization. This issue has been patched in version 1.0.0.

Related Vulnerabilities

CVE-2021-32828

MEDIUM

CVSS:6.1(Medium)

The Nuxeo Platform is an open source content management platform for building business applications. In version 11.5.109, the `oauth2` REST API is vulnerable to Reflected Cross-Site Scripting (XSS). T...

CWE-5022021

CVE-2023-52357

MEDIUM

CVSS:6.2(Medium)

Vulnerability of serialization/deserialization mismatch in the vibration framework.Successful exploitation of this vulnerability may affect availability.

CWE-5022023

CVE-2024-34075

MEDIUM

CVSS:6.2(Medium)

kurwov is a fast, dependency-free library for creating Markov Chains. An unsafe sanitization of dataset contents on the `MarkovData#getNext` method used in `Markov#generate` and `Markov#choose` allows...

CWE-5022024

CVE-2025-2251

MEDIUM

CVSS:6.2(Medium)

A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deseri...

CWE-5022025

CVE-2025-31935

MEDIUM

CVSS:6.2(Medium)

Subnet Solutions PowerSYSTEM Center is affected by a mishandling of exceptional conditions vulnerability. Crafted data that is passed to the API may trigger an exception, resulting in a denial-of-serv...

CWE-5022025

CVE-2019-12384

MEDIUM

CVSS:5.9(Medium)

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on th...

CWE-5022019