A critical security flaw, CVE-2024-50050, has been discovered in Meta’s Llama Stack framework, a widely used open-source tool for building and deploying generative AI (GenAI) applications.

The vulnerability, caused by unsafe deserialization of Python objects via the pickle module, allows remote attackers to execute arbitrary code on affected servers. This flaw underscores the ongoing challenges in securing AI frameworks amidst their rapid adoption.

The issue lies in the default Python inference API implementation of Llama Stack, specifically in its use of the recv_pyobj method from the pyzmq library.

This method deserializes data using Python’s pickle module—a process inherently insecure when handling untrusted data. Attackers can exploit this by sending maliciously crafted serialized objects over exposed ZeroMQ sockets, leading to arbitrary code execution (RCE) on the host machine.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

While Meta initially assigned the vulnerability a CVSS score of 6.3 (medium severity), security firms like Snyk rated it as 9.3 (critical) under CVSS v4.0 due to its potential impact on confidentiality, integrity, and availability. Exploitation could result in resource theft, data breaches, or even full control over hosted AI models.

RCE Vulnerability – CVE-2024-50050

Oligo Security researchers identified the flaw during an analysis of open-source AI frameworks. They demonstrated how an attacker could exploit the vulnerability by sending a malicious payload to an open ZeroMQ socket.

Upon deserialization by recv_pyobj, the payload executes arbitrary commands on the server. This highlights the dangers of using pickle for deserialization in network-exposed environments.

For example, a proof-of-concept (PoC) exploit involved creating a Python class with a malicious __reduce__ method that executes system commands during deserialization. Once serialized and sent to an open Llama Stack port, this payload granted attackers full control over the host system.

Meta acted swiftly following Oligo’s responsible disclosure on September 29, 2024. By October 10, 2024, they released a patch in version 0.0.41 of Llama Stack, replacing the vulnerable pickle serialization with a secure JSON-based implementation using Pydantic. Users are strongly advised to upgrade to version 0.0.41 or higher to mitigate this risk.

Additionally, the maintainers of pyzmq issued warnings about the unsafe use of recv_pyobj with untrusted data and updated their documentation to promote secure practices.

CVE-2024-50050 is not an isolated incident but part of a larger trend of vulnerabilities arising from insecure deserialization methods in AI frameworks. Similar issues have been reported in other platforms like TensorFlow and Keras, highlighting the need for robust security practices in AI development.

This case also emphasizes the risks associated with open-source dependencies in software supply chains. Developers must carefully vet third-party libraries and follow secure coding practices to prevent such vulnerabilities from being introduced into critical systems.

Meta’s Llama Stack is a powerful framework that has gained significant traction among developers for its versatility and integration with leading AI models like Llama 3.1 and Llama 3.2.

Organizations using Llama Stack should prioritize applying the patch immediately and review their deployment environments for other potential vulnerabilities.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar