RCE and Worm Infection via Deserialization in RagRetriever Model Loading
A vulnerability in the Hugging Face transformers library (v4.35.2) allows attackers to execute arbitrary code and propagate a worm by exploiting the `RagRetriever.from_pretrained()` function. This is achieved through deserialization of untrusted data from maliciously crafted pickle files, bypassing the library's security scanning. The issue was patched in version 4.36.
Available publicly on Dec 12 2023 | Available with Premium on Dec 08 2023
Threat Overview
The vulnerability stems from the RagRetriever.from_pretrained()
function's handling of external configuration files, which can be manipulated to redirect the loading process to malicious repositories containing harmful pickle files. This process completely bypasses the library's scanning mechanisms designed to flag unsafe files, allowing attackers to execute arbitrary code on the victim's machine (reversed Remote Code Execution - RCE) and spread malware across the Hugging Face platform (worm infection).
Attack Scenario
An attacker creates two repositories: a front-end to lure victims and a back-end containing malicious pickle files. The victim, deceived by the seemingly safe front-end repository, uses the from_pretrained
function to load a model, which then redirects to the back-end and deserializes the harmful pickle files. If the victim has write permissions on the Hugging Face platform, the attack also replicates the malicious repository under the victim's account, spreading the infection.
Who is affected
Users of the Hugging Face transformers library version 4.35.2 who utilize the RagRetriever.from_pretrained()
function to load models from unverified sources are at risk. The vulnerability particularly impacts those with write permissions on the Hugging Face platform, as it enables the propagation of the worm infection.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.