.@{*!
/<[%$.{=
Application
Applicational Security
- Evernote IPC RCE
- Y-Note Preload RCEs
- Managebac RTE XSS
- Government IDOR
- Gatekeepai IDOR
Binary
Binary Exploitation
- Tenda ROP RCE
- Six Overflow CVEs
- Telegram Reverse
- MIFARE Reverse
- First NLP-Pwn
AI/ML
AI/ML Security
- Transformers RCEs
- Tensorflow RCE
- Llamafile RCE
- Llama-cpp-py RCE
- Microsoft RCE
Honors
Honors
- Tencent Talent Program
- CMU PicoCTF 24 10th
- National CTF Prices
- Huntr Monthly 1st
- Sec-Plat Featured
Automation
Researches / Automation
- Protosec-Research
- ChatWithBinary
- PwnBERT
- AutoGDB
- Tree-of-AST
Application
Applicational Security
- Evernote IPC RCE
- Y-Note Preload RCEs
- Managebac RTE XSS
- Government IDOR
- Gatekeepai IDOR
Binary
Binary Exploitation
- Tenda ROP RCE
- Six Overflow CVEs
- Telegram Reverse
- MIFARE Reverse
- First NLP-Pwn
AI/ML
AI/ML Security
- Transformers RCEs
- Tensorflow RCE
- Llamafile RCE
- Llama-cpp-py RCE
- Microsoft RCE
Honors
Honors
- Tencent Talent Program
- CMU PicoCTF 24 10th
- National CTF Prices
- Huntr Monthly 1st
- Sec-Plat Featured
Automation
Researches / Automation
- Protosec-Research
- ChatWithBinary
- PwnBERT
- AutoGDB
- Tree-of-AST
Application
Applicational Security
- Evernote IPC RCE
- Y-Note Preload RCEs
- Managebac RTE XSS
- Government IDOR
- Gatekeepai IDOR
Binary
Binary Exploitation
- Tenda ROP RCE
- Six Overflow CVEs
- Telegram Reverse
- MIFARE Reverse
- First NLP-Pwn
AI/ML
AI/ML Security
- Transformers RCEs
- Tensorflow RCE
- Llamafile RCE
- Llama-cpp-py RCE
- Microsoft RCE
Honors
Honors
- Tencent Talent Program
- CMU PicoCTF 24 10th
- National CTF Prices
- Huntr Monthly 1st
- Sec-Plat Featured
Automation
Researches / Automation
- Protosec-Research
- ChatWithBinary
- PwnBERT
- AutoGDB
- Tree-of-AST
Application
Applicational Security
- Evernote IPC RCE
- Y-Note Preload RCEs
- Managebac RTE XSS
- Government IDOR
- Gatekeepai IDOR
Binary
Binary Exploitation
- Tenda ROP RCE
- Six Overflow CVEs
- Telegram Reverse
- MIFARE Reverse
- First NLP-Pwn
AI/ML
AI/ML Security
- Transformers RCEs
- Tensorflow RCE
- Llamafile RCE
- Llama-cpp-py RCE
- Microsoft RCE
Honors
Honors
- Tencent Talent Program
- CMU PicoCTF 24 10th
- National CTF Prices
- Huntr Monthly 1st
- Sec-Plat Featured
Automation
Researches / Automation
- Protosec-Research
- ChatWithBinary
- PwnBERT
- AutoGDB
- Tree-of-AST
Application
Applicational Security
- Evernote IPC RCE
- Y-Note Preload RCEs
- Managebac RTE XSS
- Government IDOR
- Gatekeepai IDOR
Binary
Binary Exploitation
- Tenda ROP RCE
- Six Overflow CVEs
- Telegram Reverse
- MIFARE Reverse
- First NLP-Pwn
AI/ML
AI/ML Security
- Transformers RCEs
- Tensorflow RCE
- Llamafile RCE
- Llama-cpp-py RCE
- Microsoft RCE
Honors
Honors
- Tencent Talent Program
- CMU PicoCTF 24 10th
- National CTF Prices
- Huntr Monthly 1st
- Sec-Plat Featured
Automation
Researches / Automation
- Protosec-Research
- ChatWithBinary
- PwnBERT
- AutoGDB
- Tree-of-AST
My work includes Remote Code Execution (RCE) vulnerabilities in Transformers, Llama-cpp-python (aka the Llama-Drama RCE), PrivateGPT, PandasAI, and more. Which results direct arbitrary-code execution over an exposed API endpoints, or even loading a seemly harmless model / checkpoint. Through these discoveries, I have earned over $15,000 in bounties, which made me the top-one researcher on the Huntr leaderboard chart :) Beyond AI/ML, I also participate in various Vulnerability Disclosure Programs (VDP) and Bug Bounty Programs (BBP), where my findings have created a significant impact. In the past, I identified and exploited an IDOR vulnerability in a governmental service, which resulted in massive municipal data modification. Additionally, I discovered Cross-Site Scripting (XSS) vulnerabilities that led to Remote Code Execution (RCE) in Evernote and YoudaoNote, allowing arbitrary code execution with just one click on a note. I also uncovered a stored XSS vulnerability in Managebac, enabling the hijacking of high-privileged accounts and GPA modification, which affected over 1,000 schools (including many top-rated IB high schools.) Furthermore, I dedicated over 10 hours per vulnerability to write detailed*, **step-by-step proof-of-concept and discovery-to-exploitation* writeups*, which are hosted on my blog website. My blogs have gained recognition and have been reposted on well-known security platforms such as InfosecWriteups, Checkmarx, Sonatype, Hackread, The Hacker News, MalwareDotNews, Security Week, SecAlerts, and more.*
Netease
2 Vulnerability foundNetease Internet technology company
LoLLMs
12 CVEs foundParisNeo/lollms-webui LLM Hosting UI Platform
Llama-Cpp-Python Remote Code Execution by Server-Side Template Injection in Model Metadata
Remote-Code Execution due to Server-Side Template Injection of unportection renderer behaviour in GGUF Model Metadata in Llama-cpp-Python
Netease
2 Vulnerability foundNetease Internet technology company
LoLLMs
12 CVEs foundParisNeo/lollms-webui LLM Hosting UI Platform
Llama-Cpp-Python Remote Code Execution by Server-Side Template Injection in Model Metadata
Remote-Code Execution due to Server-Side Template Injection of unportection renderer behaviour in GGUF Model Metadata in Llama-cpp-Python
Netease
2 Vulnerability foundNetease Internet technology company
LoLLMs
12 CVEs foundParisNeo/lollms-webui LLM Hosting UI Platform
Llama-Cpp-Python Remote Code Execution by Server-Side Template Injection in Model Metadata
Remote-Code Execution due to Server-Side Template Injection of unportection renderer behaviour in GGUF Model Metadata in Llama-cpp-Python
Netease
2 Vulnerability foundNetease Internet technology company
LoLLMs
12 CVEs foundParisNeo/lollms-webui LLM Hosting UI Platform
Llama-Cpp-Python Remote Code Execution by Server-Side Template Injection in Model Metadata
Remote-Code Execution due to Server-Side Template Injection of unportection renderer behaviour in GGUF Model Metadata in Llama-cpp-Python
Llama-Cpp-Python Remote Code Execution by Server-Side Template Injection in Model Metadata
Remote-Code Execution due to Server-Side Template Injection of unportection renderer behaviour in GGUF Model Metadata in Llama-cpp-Python
Transformers has a Deserialization of Untrusted Data
Transformers contains a Deserialization of Untrusted Data vulnerability within the load_repo_checkpoint() function under the TFPreTrainedModel() class. This vulnerability enables attackers to execute arbitrary code and commands by using a carefully crafted serialized payload.
Transformers RCE in 'tools/base.py' -> 'load_tool'
Transformer's transformers.load_tool *(can be access via from transformers import tools; tools.load_tool or transformers.load_tool) will execute arbitrary Python Commands in a maliciously-built repo without any HuggingFace Warnings in Hub and no trust_remote_code is required.
ManageBac Stored XSS Vulnerability via MITM Request Modification
This vulnerability occurs when submitting any content (comments, discussions) using the built-in editor, where intercepting and modifying the packet with Burp Suite as a Man-In-The-Middle (MITM) attack is possible.
Microsoft Semantic Kernel RCE
Microsoft NLP Semantic Kernel Template Engine Remote-Code Execution
Llama-Cpp-Python Remote Code Execution by Server-Side Template Injection in Model Metadata
Remote-Code Execution due to Server-Side Template Injection of unportection renderer behaviour in GGUF Model Metadata in Llama-cpp-Python
Transformers has a Deserialization of Untrusted Data
Transformers contains a Deserialization of Untrusted Data vulnerability within the load_repo_checkpoint() function under the TFPreTrainedModel() class. This vulnerability enables attackers to execute arbitrary code and commands by using a carefully crafted serialized payload.
Transformers RCE in 'tools/base.py' -> 'load_tool'
Transformer's transformers.load_tool *(can be access via from transformers import tools; tools.load_tool or transformers.load_tool) will execute arbitrary Python Commands in a maliciously-built repo without any HuggingFace Warnings in Hub and no trust_remote_code is required.
ManageBac Stored XSS Vulnerability via MITM Request Modification
This vulnerability occurs when submitting any content (comments, discussions) using the built-in editor, where intercepting and modifying the packet with Burp Suite as a Man-In-The-Middle (MITM) attack is possible.
Microsoft Semantic Kernel RCE
Microsoft NLP Semantic Kernel Template Engine Remote-Code Execution
Llama-Cpp-Python Remote Code Execution by Server-Side Template Injection in Model Metadata
Remote-Code Execution due to Server-Side Template Injection of unportection renderer behaviour in GGUF Model Metadata in Llama-cpp-Python
Transformers has a Deserialization of Untrusted Data
Transformers contains a Deserialization of Untrusted Data vulnerability within the load_repo_checkpoint() function under the TFPreTrainedModel() class. This vulnerability enables attackers to execute arbitrary code and commands by using a carefully crafted serialized payload.
Transformers RCE in 'tools/base.py' -> 'load_tool'
Transformer's transformers.load_tool *(can be access via from transformers import tools; tools.load_tool or transformers.load_tool) will execute arbitrary Python Commands in a maliciously-built repo without any HuggingFace Warnings in Hub and no trust_remote_code is required.
ManageBac Stored XSS Vulnerability via MITM Request Modification
This vulnerability occurs when submitting any content (comments, discussions) using the built-in editor, where intercepting and modifying the packet with Burp Suite as a Man-In-The-Middle (MITM) attack is possible.
Microsoft Semantic Kernel RCE
Microsoft NLP Semantic Kernel Template Engine Remote-Code Execution
Llama-Cpp-Python Remote Code Execution by Server-Side Template Injection in Model Metadata
Remote-Code Execution due to Server-Side Template Injection of unportection renderer behaviour in GGUF Model Metadata in Llama-cpp-Python
Transformers has a Deserialization of Untrusted Data
Transformers contains a Deserialization of Untrusted Data vulnerability within the load_repo_checkpoint() function under the TFPreTrainedModel() class. This vulnerability enables attackers to execute arbitrary code and commands by using a carefully crafted serialized payload.
Transformers RCE in 'tools/base.py' -> 'load_tool'
Transformer's transformers.load_tool *(can be access via from transformers import tools; tools.load_tool or transformers.load_tool) will execute arbitrary Python Commands in a maliciously-built repo without any HuggingFace Warnings in Hub and no trust_remote_code is required.
ManageBac Stored XSS Vulnerability via MITM Request Modification
This vulnerability occurs when submitting any content (comments, discussions) using the built-in editor, where intercepting and modifying the packet with Burp Suite as a Man-In-The-Middle (MITM) attack is possible.
Microsoft Semantic Kernel RCE
Microsoft NLP Semantic Kernel Template Engine Remote-Code Execution
Using eval() to load external AWS Sagemaker LLM request leading Python Command Injections in imartinez/privategpt
In sagemaker.py 's SagemakerLLM class's complete(), Since PrivateGPT used eval() instead of json.loads() to load the remote-retrieved string into a dictionary, Python-OS-command injections payload can be parsed the response of AWS Sagemaker
Tenda AC8v4 contains Multiple Stack-Overflow leading RCE
Tenda AC8V4.0-V16.03.34.06 was discovered to contain a stack overflow via multiple variable in the multiple functions. CVE-2023-33669 -> CVE-2023-33675
Arbitrary File Reading via Path Traversal in geopython/pygeoapi
This vulnerability allows malicious users to inject LFI Payloads bypassing the existing sanitizations into the path variable, causing read arbitrary file reading via ''.//././/.'; Fixed in pull/1593.
GateKeep.ai IDOR -> Arbitrary User-data edit and disclosure
IDOR -> Arbitrary User-data edit and disclosure in gatekeep.ai text-to-video generation platform. Attacker can arbitrary edit and disclose user-data by exploiting the flaw in privilege management.
Arbitrary File Overwrite in ZulipConnector when zuliprc- direcetory exists in danswer-ai/danswer
Arbitrary file overwrite vulnerability in ZulipConnector's load_credentials function due to unsanitized realm_name and credentials content handling when zuliprc- directory exists.
Using eval() to load external AWS Sagemaker LLM request leading Python Command Injections in imartinez/privategpt
In sagemaker.py 's SagemakerLLM class's complete(), Since PrivateGPT used eval() instead of json.loads() to load the remote-retrieved string into a dictionary, Python-OS-command injections payload can be parsed the response of AWS Sagemaker
Tenda AC8v4 contains Multiple Stack-Overflow leading RCE
Tenda AC8V4.0-V16.03.34.06 was discovered to contain a stack overflow via multiple variable in the multiple functions. CVE-2023-33669 -> CVE-2023-33675
Arbitrary File Reading via Path Traversal in geopython/pygeoapi
This vulnerability allows malicious users to inject LFI Payloads bypassing the existing sanitizations into the path variable, causing read arbitrary file reading via ''.//././/.'; Fixed in pull/1593.
GateKeep.ai IDOR -> Arbitrary User-data edit and disclosure
IDOR -> Arbitrary User-data edit and disclosure in gatekeep.ai text-to-video generation platform. Attacker can arbitrary edit and disclose user-data by exploiting the flaw in privilege management.
Arbitrary File Overwrite in ZulipConnector when zuliprc- direcetory exists in danswer-ai/danswer
Arbitrary file overwrite vulnerability in ZulipConnector's load_credentials function due to unsanitized realm_name and credentials content handling when zuliprc- directory exists.
Using eval() to load external AWS Sagemaker LLM request leading Python Command Injections in imartinez/privategpt
In sagemaker.py 's SagemakerLLM class's complete(), Since PrivateGPT used eval() instead of json.loads() to load the remote-retrieved string into a dictionary, Python-OS-command injections payload can be parsed the response of AWS Sagemaker
Tenda AC8v4 contains Multiple Stack-Overflow leading RCE
Tenda AC8V4.0-V16.03.34.06 was discovered to contain a stack overflow via multiple variable in the multiple functions. CVE-2023-33669 -> CVE-2023-33675
Arbitrary File Reading via Path Traversal in geopython/pygeoapi
This vulnerability allows malicious users to inject LFI Payloads bypassing the existing sanitizations into the path variable, causing read arbitrary file reading via ''.//././/.'; Fixed in pull/1593.
GateKeep.ai IDOR -> Arbitrary User-data edit and disclosure
IDOR -> Arbitrary User-data edit and disclosure in gatekeep.ai text-to-video generation platform. Attacker can arbitrary edit and disclose user-data by exploiting the flaw in privilege management.
Arbitrary File Overwrite in ZulipConnector when zuliprc- direcetory exists in danswer-ai/danswer
Arbitrary file overwrite vulnerability in ZulipConnector's load_credentials function due to unsanitized realm_name and credentials content handling when zuliprc- directory exists.
Using eval() to load external AWS Sagemaker LLM request leading Python Command Injections in imartinez/privategpt
In sagemaker.py 's SagemakerLLM class's complete(), Since PrivateGPT used eval() instead of json.loads() to load the remote-retrieved string into a dictionary, Python-OS-command injections payload can be parsed the response of AWS Sagemaker
Tenda AC8v4 contains Multiple Stack-Overflow leading RCE
Tenda AC8V4.0-V16.03.34.06 was discovered to contain a stack overflow via multiple variable in the multiple functions. CVE-2023-33669 -> CVE-2023-33675
Arbitrary File Reading via Path Traversal in geopython/pygeoapi
This vulnerability allows malicious users to inject LFI Payloads bypassing the existing sanitizations into the path variable, causing read arbitrary file reading via ''.//././/.'; Fixed in pull/1593.
GateKeep.ai IDOR -> Arbitrary User-data edit and disclosure
IDOR -> Arbitrary User-data edit and disclosure in gatekeep.ai text-to-video generation platform. Attacker can arbitrary edit and disclose user-data by exploiting the flaw in privilege management.
Arbitrary File Overwrite in ZulipConnector when zuliprc- direcetory exists in danswer-ai/danswer
Arbitrary file overwrite vulnerability in ZulipConnector's load_credentials function due to unsanitized realm_name and credentials content handling when zuliprc- directory exists.