Medium

transformers

Remote Code Execution via Dynamic Tool Loading

A vulnerability in the Transformers library allows for remote code execution (RCE) by loading malicious tools from the HuggingFace Hub without warnings or the need for 'trust_remote_code'. This issue affects the latest version of the software and was identified without a specified patch version.

Available publicly on Apr 30 2024

6.3

CVE:

No CVE

CWE:

829:Inclusion of Functionality from Untrusted Control Sphere

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Credit:

retr0reg
AssessDetect

Unavailable

Remediate
Remediation Steps
  • Ensure that the Transformers library is updated to a version where this vulnerability is patched.
  • Avoid loading tools from untrusted or unverified sources.
  • Implement additional security measures to verify the integrity and trustworthiness of external code before execution.
  • Monitor the official repository for updates and security advisories related to this issue.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.