{"id":"CVE-2024-34359","summary":"llama-cpp-python vulnerable to Remote Code Execution by Server-Side Template Injection in Model Metadata","details":"llama-cpp-python is the Python bindings for llama.cpp. `llama-cpp-python` depends on class `Llama` in `llama.py` to load `.gguf` llama.cpp or Latency Machine Learning Models. The `__init__` constructor built in the `Llama` takes several parameters to configure the loading and running of the model. Other than `NUMA, LoRa settings`, `loading tokenizers,` and `hardware settings`, `__init__` also loads the `chat template` from targeted `.gguf` 's Metadata and furtherly parses it to `llama_chat_format.Jinja2ChatFormatter.to_chat_handler()` to construct the `self.chat_handler` for this model. Nevertheless, `Jinja2ChatFormatter` parse the `chat template` within the Metadate with sandbox-less `jinja2.Environment`, which is furthermore rendered in `__call__` to construct the `prompt` of interaction. This allows `jinja2` Server Side Template Injection which leads to remote code execution by a carefully constructed payload.","aliases":["GHSA-56xg-wfcc-g829"],"modified":"2026-04-10T05:13:31.151686Z","published":"2024-05-10T17:07:18.850Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-76"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/34xxx/CVE-2024-34359.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/34xxx/CVE-2024-34359.json"},{"type":"ADVISORY","url":"https://github.com/abetlen/llama-cpp-python/security/advisories/GHSA-56xg-wfcc-g829"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34359"},{"type":"FIX","url":"https://github.com/abetlen/llama-cpp-python/commit/b454f40a9a1787b2b5659cd2cb00819d983185df"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/abetlen/llama-cpp-python","events":[{"introduced":"0"},{"fixed":"b454f40a9a1787b2b5659cd2cb00819d983185df"}]},{"type":"GIT","repo":"https://github.com/abetlen/llama-cpp-python","events":[{"introduced":"0"},{"fixed":"b454f40a9a1787b2b5659cd2cb00819d983185df"}]}],"versions":["v0.1.29","v0.1.30","v0.1.31","v0.1.32","v0.1.33","v0.1.34","v0.1.35","v0.1.36","v0.1.37","v0.1.38","v0.1.39","v0.1.40","v0.1.41","v0.1.42","v0.1.43","v0.1.56","v0.1.57","v0.1.59","v0.1.60","v0.1.61","v0.1.62","v0.1.63","v0.1.64","v0.1.65","v0.1.66","v0.1.67","v0.1.68","v0.1.69","v0.1.70","v0.1.71","v0.1.72","v0.1.73","v0.1.74","v0.1.75","v0.1.76","v0.1.77","v0.1.78","v0.1.80","v0.1.81","v0.1.82","v0.1.84","v0.1.85","v0.2.1","v0.2.10","v0.2.11","v0.2.12","v0.2.13","v0.2.14","v0.2.15","v0.2.19","v0.2.2","v0.2.20","v0.2.21","v0.2.22","v0.2.23","v0.2.24","v0.2.25","v0.2.26","v0.2.27","v0.2.28","v0.2.29","v0.2.3","v0.2.30","v0.2.31","v0.2.32","v0.2.33","v0.2.34","v0.2.35","v0.2.36","v0.2.37","v0.2.38","v0.2.39","v0.2.4","v0.2.40","v0.2.41","v0.2.42","v0.2.43","v0.2.44","v0.2.45","v0.2.46","v0.2.47","v0.2.48","v0.2.49","v0.2.5","v0.2.50","v0.2.51","v0.2.52","v0.2.53","v0.2.54","v0.2.55","v0.2.56","v0.2.57","v0.2.58","v0.2.59","v0.2.59-cu121","v0.2.59-cu122","v0.2.59-cu123","v0.2.59-metal","v0.2.6","v0.2.60","v0.2.60-cu121","v0.2.60-cu122","v0.2.60-cu123","v0.2.60-metal","v0.2.61","v0.2.61-cu121","v0.2.61-cu122","v0.2.61-cu123","v0.2.61-metal","v0.2.62","v0.2.62-cu121","v0.2.62-cu122","v0.2.62-cu123","v0.2.62-metal","v0.2.64","v0.2.64-cu121","v0.2.64-cu122","v0.2.64-cu123","v0.2.64-metal","v0.2.65","v0.2.65-cu121","v0.2.65-cu122","v0.2.65-cu123","v0.2.65-metal","v0.2.66","v0.2.66-cu121","v0.2.66-cu122","v0.2.66-cu123","v0.2.66-cu124","v0.2.66-metal","v0.2.67","v0.2.67-cu121","v0.2.67-cu122","v0.2.67-cu123","v0.2.67-cu124","v0.2.67-metal","v0.2.68","v0.2.68-cu121","v0.2.68-cu122","v0.2.68-cu123","v0.2.68-cu124","v0.2.68-metal","v0.2.69","v0.2.69-cu121","v0.2.69-cu122","v0.2.69-cu123","v0.2.69-cu124","v0.2.69-metal","v0.2.7","v0.2.70","v0.2.70-cu121","v0.2.70-cu122","v0.2.70-cu123","v0.2.70-cu124","v0.2.70-metal","v0.2.71","v0.2.71-cu121","v0.2.71-cu122","v0.2.71-cu123","v0.2.71-cu124","v0.2.71-metal","v0.2.8","v0.2.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34359.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}]}