The vulnerability stems from the RagRetriever.from_pretrained() function's handling of external configuration files, which can be manipulated to redirect the loading process to malicious repositories containing harmful pickle files. This process completely bypasses the library's scanning mechanisms designed to flag unsafe files, allowing attackers to execute arbitrary code on the victim's machine (reversed Remote Code Execution - RCE) and spread malware across the Hugging Face platform (worm infection).

An attacker creates two repositories: a front-end to lure victims and a back-end containing malicious pickle files. The victim, deceived by the seemingly safe front-end repository, uses the from_pretrained function to load a model, which then redirects to the back-end and deserializes the harmful pickle files. If the victim has write permissions on the Hugging Face platform, the attack also replicates the malicious repository under the victim's account, spreading the infection.

Users of the Hugging Face transformers library version 4.35.2 who utilize the RagRetriever.from_pretrained() function to load models from unverified sources are at risk. The vulnerability particularly impacts those with write permissions on the Hugging Face platform, as it enables the propagation of the worm infection.