A critical security flaw has been disclosed in the llama_cpp_python Python package that could be exploited by threat actors to achieve arbitrary code execution.
Tracked as CVE-2024-34359 (CVSS score: 9.7), the flaw has been codenamed Llama Drama by software supply chain security firm Checkmarx.
“If exploited, it could allow attackers to execute arbitrary code on your system, compromising data and operations,” security researcher Guy Nachshon said.
llama_cpp_python, a Python binding for the llama.cpp library, is a popular package with over 3 million downloads to date, allowing developers to integrate AI models with Python.
Codean Labs, which characterized the flaw as an “oversight in a specific part of the font rendering code,” said it permits an attacker to execute JavaScript code as soon as a malware-laced PDF document is opened in the Firefox browser.
The issue has been addressed in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11 shipped last week. It has also been resolved in the npm module pdfjs-dist version 4.2.67 released on April 29, 2024.
“Most wrapper libraries like react-pdf have also released patched versions,” security researcher Thomas Rinsma said. “Because some higher level PDF-related libraries statically embed PDF.js, we recommend recursively checking your node_modules folder for files called pdf.js to be sure.”
Source: https://thehackernews.com/
