CVE-2024-50050

MEDIUM

Llama Stack <7a8aa775e5a267cf8660d83140011a0b7f91e005 - RCE

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-50050. PoCs published by sastraadiwiguna-purpleeliteteaming.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2024-50050, focusing on RCE via insecure deserialization in the Meta Llama Stack. It includes methodologies for exploitation, supply chain attack vectors, and defensive hardening techniques.

Description

Llama Stack prior to revision 7a8aa775e5a267cf8660d83140011a0b7f91e005 used pickle as a serialization format for socket communication, potentially allowing for remote code execution. Socket communication has been changed to use JSON instead.

Exploits (2)

gitlab WRITEUP

by sastraadiwiguna-purpleeliteteaming · poc

https://gitlab.com/sastraadiwiguna-purpleeliteteaming/llamastack-rce-deterministic-supply-chain-exploitation-hardening-framework-cve-2024-50050

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2024-50050, focusing on RCE via insecure deserialization in the Meta Llama Stack. It includes methodologies for exploitation, supply chain attack vectors, and defensive hardening techniques.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Complex

Reliability

Theoretical

Target: Meta Llama Stack (ZeroMQ/Pickle)

No auth needed

Prerequisites: Access to vulnerable ZeroMQ/Pickle deserialization endpoints · Ability to craft malicious payloads

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 23, 2026 Full analysis →

nomisec WRITEUP

by sastraadiwiguna-purpleeliteteaming · poc

https://github.com/sastraadiwiguna-purpleeliteteaming/LlamaStack-RCE-Deterministic-Supply-Chain-Exploitation-Hardening-Framework-CVE-2024-50050-

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2024-50050, focusing on RCE via insecure deserialization in the LlamaStack framework. It includes methodologies for exploitation, supply chain attack vectors, and defensive hardening techniques.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Complex

Reliability

Theoretical

Target: LlamaStack (Meta AI Stack)

No auth needed

Prerequisites: Access to vulnerable LlamaStack instance · Ability to send crafted ZeroMQ messages

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://www.facebook.com/security/advisories/cve-2024-50050

Scores

CVSS v3 6.3

EPSS 0.0089

EPSS Percentile 54.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

Status published

Products (1)

Meta Platforms, Inc/Llama Stack < 7a8aa775e5a267cf8660d83140011a0b7f91e005

Published Oct 23, 2024

Tracked Since Feb 18, 2026