Home Security Researchers Uncover Flaws in Python Package for AI Models and PDF.js Used by Firefox

Researchers Uncover Flaws in Python Package for AI Models and PDF.js Used by Firefox

by


May 21, 2024NewsroomSupply Chain Security / AI Model

A critical security flaw has been disclosed in the llama_cpp_python Python package that could be exploited by threat actors to achieve arbitrary code execution.

Tracked as CVE-2024-34359 (CVSS score: 9.7), the flaw has been codenamed Llama Drama by software supply chain security firm Checkmarx.

“If exploited, it could allow attackers to execute arbitrary code on your system, compromising data and operations,” security researcher Guy Nachshon said.

llama_cpp_python, a Python binding for the llama.cpp library, is a popular package with over 3 million downloads to date, allowing developers to integrate AI models with Python.

Cybersecurity

Security researcher Patrick Peng (retr0reg) has been credited with discovering and reporting the flaw, which has been addressed in version 0.2.72.

The core issue stems from the misuse of the Jinja2 template engine within the llama_cpp_python package, allowing for server-side template injection that leads to remote code execution by means of a specially crafted payload.

“The exploitation of this vulnerability can lead to unauthorized actions by attackers, including data theft, system compromise, and disruption of operations,” Checkmarx said.

“The discovery of CVE-2024-34359 serves as a stark reminder of the vulnerabilities that can arise at the confluence of AI and supply chain security. It highlights the need for vigilant security practices throughout the lifecycle of AI systems and their components.”

Code Execution Flaw in PDF.js

The development follows the discovery of a high-severity flaw in Mozilla’s PDF.js JavaScript library (CVE-2024-4367) that could allow the execution of arbitrary code.

“A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context,” Mozilla said in an advisory.

Cybersecurity

Codean Labs, which characterized the flaw as an “oversight in a specific part of the font rendering code,” said it permits an attacker to execute JavaScript code as soon as a malware-laced PDF document is opened in the Firefox browser.

AI Models and PDF.js

The issue has been addressed in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11 shipped last week. It has also been resolved in the npm module pdfjs-dist version 4.2.67 released on April 29, 2024.

“Most wrapper libraries like react-pdf have also released patched versions,” security researcher Thomas Rinsma said. “Because some higher level PDF-related libraries statically embed PDF.js, we recommend recursively checking your node_modules folder for files called pdf.js to be sure.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex