Login Sign Up

CVE-2025-61784

7.6 HIGH
SSRF

📋 TL;DR

This SSRF/LFI vulnerability in LLaMA-Factory allows authenticated users to make arbitrary HTTP requests to internal/external networks and read arbitrary files from the server filesystem. It affects all LLaMA-Factory deployments prior to version 0.9.4 that expose the chat API to authenticated users.

💻 Affected Systems

Products:
  • LLaMA-Factory
Versions: All versions prior to 0.9.4
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the chat API to be accessible and user authentication (though any authenticated user can exploit)

📦 What is this software?

Llama Factory by Hiyouga

View all CVEs affecting Llama Factory →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of internal network services, exfiltration of sensitive data, and potential lateral movement to other systems via internal service interaction.

🟠

Likely Case

Unauthorized access to internal services, file system reconnaissance, and potential data leakage from accessible internal endpoints.

🟢

If Mitigated

Limited to authenticated user access only, but still allows internal network scanning and file reading within application permissions.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward via crafted URL parameters

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.9.4

Vendor Advisory: https://github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-527m-2xhr-j27g

Restart Required: Yes

Instructions:

1. Update LLaMA-Factory to version 0.9.4 or later using pip: 'pip install --upgrade llama-factory>=0.9.4' 2. Restart the LLaMA-Factory service 3. Verify the fix by checking the version

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict outbound network access from LLaMA-Factory server to only required external services

iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP

API Access Restriction

all

Limit chat API access to trusted users only via authentication/authorization controls

🧯 If You Can't Patch

  • Implement strict network egress filtering to prevent SSRF attacks to internal networks
  • Apply file system permissions to restrict application user's file access to only necessary directories

🔍 How to Verify

Check if Vulnerable:

Check if LLaMA-Factory version is below 0.9.4 and chat API is accessible

Check Version:

python -c "import llama_factory; print(llama_factory.__version__)"

Verify Fix Applied:

Confirm version is 0.9.4 or higher and test that URL parameter validation is enforced

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP requests from LLaMA-Factory server to internal IPs
  • Multiple failed file access attempts to system paths

Network Indicators:

  • Outbound HTTP requests from LLaMA-Factory server to unexpected internal/external destinations

SIEM Query:

source="llama-factory" AND (url CONTAINS "file://" OR url CONTAINS "127.0.0.1" OR url CONTAINS "localhost" OR url CONTAINS "192.168." OR url CONTAINS "10." OR url CONTAINS "172.16.")

📊 Metadata

CVE ID: CVE-2025-61784
CVSS v3 Score: 7.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
CWE: CWE-22
EPSS Score: 0.06% exploit probability (17.3th percentile)
Published: October 7, 2025
Last Updated: October 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-61784, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)