CVE-2024-3568
📋 TL;DR
The huggingface/transformers library contains a critical vulnerability allowing arbitrary code execution through malicious serialized checkpoints. Attackers can execute commands on victim machines by tricking users into loading crafted payloads during training processes. This affects anyone using the vulnerable TFPreTrainedModel.load_repo_checkpoint() function with untrusted data sources.
💻 Affected Systems
- huggingface/transformers
📦 What is this software?
Transformers by Huggingface
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the machine, data exfiltration, lateral movement, and persistent backdoor installation.
Likely Case
Execution of arbitrary commands in the context of the running application, potentially leading to data theft, cryptocurrency mining, or ransomware deployment.
If Mitigated
Limited impact if proper input validation and sandboxing are implemented, though some system access may still be possible.
🎯 Exploit Status
Exploitation requires victim to load a malicious checkpoint, which could be distributed via model repositories or shared datasets.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 693667b8ac8138b83f8adb6522ddaf42fa07c125 and later
Vendor Advisory: https://github.com/huggingface/transformers/commit/693667b8ac8138b83f8adb6522ddaf42fa07c125
Restart Required: No
Instructions:
1. Update transformers library to latest version. 2. Verify commit 693667b8ac8138b83f8adb6522ddaf42fa07c125 is included. 3. Test checkpoint loading functionality.
🔧 Temporary Workarounds
Disable untrusted checkpoint loading
allAvoid loading checkpoints from untrusted sources or repositories.
# No specific command - implement policy to only load from trusted sources
Implement input validation
allAdd validation to ensure checkpoints come from trusted sources before loading.
# Implement source verification in code before calling load_repo_checkpoint()
🧯 If You Can't Patch
- Implement strict access controls to prevent loading checkpoints from untrusted sources
- Run transformers in isolated containers or sandboxes with minimal privileges
🔍 How to Verify
Check if Vulnerable:
Check if your transformers version includes commit 693667b8ac8138b83f8adb6522ddaf42fa07c125. If not, you are vulnerable.Check Version:
python -c "import transformers; print(transformers.__version__)"Verify Fix Applied:
Verify the commit hash in your installed transformers library and test loading checkpoints from safe sources.📡 Detection & Monitoring
Log Indicators:
- Unexpected process spawns from transformers processes
- Network connections from transformers to unexpected destinations
- File system modifications by transformers process
Network Indicators:
- Outbound connections to suspicious IPs from transformers processes
- DNS requests for known malicious domains
SIEM Query:
process_name:"python" AND (process_command_line:"transformers" OR process_command_line:"load_repo_checkpoint") AND (process_spawned:true OR network_connection:true)🔗 References
- https://github.com/huggingface/transformers/commit/693667b8ac8138b83f8adb6522ddaf42fa07c125
- https://huntr.com/bounties/b3c36992-5264-4d7f-9906-a996efafba8f
- https://github.com/huggingface/transformers/commit/693667b8ac8138b83f8adb6522ddaf42fa07c125
- https://huntr.com/bounties/b3c36992-5264-4d7f-9906-a996efafba8f
