CVE-2024-52803: 
Python vulnerability analysis and mitigation

A critical remote OS command injection vulnerability (CVE-2024-52803) was identified in the LLama Factory training process, affecting versions <=0.9.0. The vulnerability was discovered and disclosed on November 21, 2024. LLama Factory, a tool that enables fine-tuning of large language models, contained this vulnerability due to improper handling of user input in the training process (GitHub Advisory).

The vulnerability stems from insecure usage of the Popen function with shell=True parameter, coupled with unsanitized user input in the training process. The issue specifically occurs in the _launch method where the output_dir value from user input is injected into the popen function without proper sanitization. The vulnerability has been assigned a CVSS v3.1 base score of 8.6 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L (GitHub Advisory).

The exploitation of this vulnerability allows attackers to execute arbitrary OS commands on the host system, potentially compromising sensitive data, escalating privileges, and deploying malware or creating persistent backdoors. This significantly increases the risk of data breaches and operational disruption (GitHub Advisory).

The vulnerability has been patched in version 0.9.1. The fix involves avoiding the use of shell=True in Popen and instead passing the command and its arguments as a list. The recommended remediation is to update to version 0.9.1 or later (GitHub Advisory, GitHub Commit).