Medium

transformers

Remote Code Execution via Dynamic Tool Loading

A vulnerability in the Transformers library allows for remote code execution (RCE) by loading malicious tools from the HuggingFace Hub without warnings or the need for 'trust_remote_code'. This issue affects the latest version of the software and was identified without a specified patch version.

Available publicly on Apr 30 2024

6.3

CVE:

No CVE

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Credit:

retr0reg
Threat Overview

The vulnerability stems from the dynamic loading of Python classes from external repositories in the Transformers library. Specifically, the 'load_tool' function, through a series of calls, dynamically imports a class from a module fetched from a specified repository. This process lacks sufficient security checks, allowing attackers to execute arbitrary Python commands by crafting malicious repositories. Such actions can lead to arbitrary OS command execution, creation of reverse-shell connections, or even the initiation of worm attacks through the HuggingFace Hub.

Attack Scenario

An attacker creates a malicious repository on HuggingFace Hub containing a custom tool with a Python class that executes arbitrary code upon import. The attacker then convinces a victim to load this tool using the Transformers library's 'load_tool' function. Since the library does not require 'trust_remote_code' to be set to true or display any warnings for loading tools from external sources, the malicious code is executed, compromising the victim's system.

Who is affected

Users of the Transformers library who load tools from external repositories, especially those from the HuggingFace Hub, without manually verifying the trustworthiness of the source code, are vulnerable to this attack. This includes both individual developers and organizations that rely on dynamically loaded tools for machine learning tasks.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.