Sightline

Critical

transformers

Remote Code Execution via Malicious Model

A vulnerability in huggingface/transformers version 4.33.1 allows remote code execution through the loading of a malicious vocab.pkl file in TransfoXLTokenizer. The issue arises from the use of `pickle.load` without restrictions. It was patched in version 4.36.

Available publicly on Dec 20 2023 | Available with Premium on Dec 20 2023

CVE:

CVE-2023-7018

CWE:

502:Deserialization of Untrusted Data

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Credit:

zpbrent

Assess Detect

Unavailable

Remediate

Remediation Steps

Update to huggingface/transformers version 4.36 or later.
Avoid loading models from untrusted sources.
Implement additional security checks for deserialized data, similar to torch.load restrictions.
Monitor and review external repositories for signs of tampering or malicious redirection.

Patch Details

Fixed Version: 4.36
Patch Commit: https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce

Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 624- related security advisories that are available with Sightline Premium.