Researchers Uncover Flaws in Python Package for AI Models and PDF.js Used by Firefox

Researchers Uncover Flaws in Python Package for AI Models and PDF.js Used by Firefox

May 21, 2024 at 07:09AM

A critical security flaw in the llama_cpp_python Python package (CVE-2024-34359, codenamed Llama Drama) allows threat actors to execute arbitrary code, posing a risk to data and operations. Another high-severity flaw in Mozilla’s PDF.js library permits JavaScript execution in the PDF.js context. Both issues have been addressed in recent software updates.

Key Takeaways from the Meeting Notes:

1. Llama Drama Security Flaw:
– CVE-2024-34359 (CVSS score: 9.7) affecting the llama_cpp_python Python package has been identified.
– Exploitation of the flaw could lead to arbitrary code execution, posing risks such as data compromise and system disruption.
– The flaw is associated with the misuse of the Jinja2 template engine, allowing for server-side template injection and remote code execution.
– Version 0.2.72 of the package has been released to address the vulnerability.

2. PDF.js Code Execution Flaw:
– A high-severity flaw (CVE-2024-4367) has been discovered in Mozilla’s PDF.js JavaScript library, enabling the execution of arbitrary code upon opening a malicious PDF document in the Firefox browser.
– The issue has been resolved in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11, as well as in the npm module pdfjs-dist version 4.2.67.

3. Mitigation Recommendations:
– Stressed the importance of vigilant security practices in the AI and supply chain security context, following the discovery of the CVE-2024-34359 vulnerability in llama_cpp_python.
– Advised checking the node_modules folder for files called pdf.js to ensure that wrapper libraries like react-pdf have been patched to address the PDF.js flaw.

4. Additional Information:
– Content syndication suggested via Twitter and LinkedIn to access exclusive content posted by the organization.

Please let me know if you need any further details or clarifications.

Full Article