Critical Security Flaw Discovered In Meta’s AI Framework

A severe security vulnerability, CVE-2024-50050, has been identified in Meta’s open-source framework for generative AI, known as Llama Stack.

The flaw, disclosed by the Oligo Research team, could allow attackers to remotely execute malicious code on servers using the framework. The vulnerability, caused by unsafe handling of serialized data, highlights the ongoing challenges of securing AI development tools.

Llama Stack, introduced by Meta in July 2024, supports the development and deployment of AI applications built on Meta’s Llama models. The research team explains that the flaw lies in its default server, which uses Python’s pyzmq library to handle data.

A specific method, recv_pyobj, automatically processes data with Python’s insecure pickle module. This makes it possible for attackers to send harmful data that runs unauthorized code. The researchers say that when exposed over a network, servers running the default configuration become vulnerable to remote code execution (RCE).

Such attacks could result in resource theft, data breaches, or unauthorized control over AI systems. The vulnerability was assigned a critical CVSS score of 9.3 (out of 10) by security firm Snyk, although Meta rated it as medium severity at 6.3, as reports by Oligo.

Oligo researchers uncovered the flaw during their analysis of open-source AI frameworks. Despite Llama Stack’s rapid rise in popularity—it went from 200 GitHub stars to over 6,000 within months—the team flagged the risky use of pickle for deserialization, a common cause of RCE vulnerabilities.

To exploit the flaw, attackers could scan for open ports, send malicious objects to the server, and trigger code execution during deserialization. Meta’s default implementation for Llama Stack’s inference server proved particularly susceptible.

Meta quickly addressed the issue after Oligo’s disclosure in September 2024. By October, a patch was released, replacing the insecure pickle-based deserialization with a safer, type-validated JSON implementation using the Pydantic library. Users are urged to upgrade to Llama Stack version 0.0.41 or higher to secure their systems.

The maintainers of pyzmq, the library used in Llama Stack, also updated their documentation to warn against using recv_pyobj with untrusted data.

This incident underscores the risks of using insecure serialization methods in software. Developers are encouraged to rely on safer alternatives and regularly update libraries to mitigate vulnerabilities. For AI tools like Llama Stack, robust security measures remain vital as these frameworks continue to power critical enterprise applications.