Hugging Face Hub CI/CD Misconfiguration Allows Cross-Repository Access and Model Poisoning
Overview
Security researchers from Wiz discovered a critical vulnerability in the Hugging Face Hub platform that could allow an attacker to gain cross-repository access and potentially poison popular AI models. The vulnerability stemmed from the CI/CD integration for Hugging Face Spaces, which used shared runners with overly permissive, short-lived authentication tokens. An attacker could create their own malicious Hugging Face Space and, by crafting a custom `Dockerfile` or CI script, could leverage the runner's environment to access and manipulate the CI/CD pipeline's API tokens. These tokens were not strictly scoped to the attacker's own repository. This allowed a compromised CI/CD job to make API calls to modify other repositories belonging to the same user or even other organizations under certain conditions. The most severe impact of this flaw was the potential for a sophisticated supply chain attack. An attacker could use this cross-repository access to covertly push a malicious update to a popular, widely used public model, embedding backdoors or subtle biases. This poisoned model would then be downloaded and used by thousands of downstream users, creating a widespread compromise. The vulnerability highlighted the significant security challenges in MLOps platforms where code execution, model storage, and collaboration converge.
Affected Systems
Testing Guide
1. This vulnerability was patched at the platform level by Hugging Face. The primary check is to ensure your organization's security practices are robust. 2. As a conceptual test, create two repositories, A and B, in your organization. 3. Set up a Hugging Face Space CI/CD job in repository A. 4. In the CI script for A, attempt to use `git` or API calls to list or modify the contents of repository B. Under the patched system, this action should fail due to insufficient permissions.
Mitigation Steps
1. **Audit Permissions**: Regularly audit the permissions of users and CI/CD systems within your Hugging Face organization, adhering to the principle of least privilege. 2. **Protect Branches**: Use protected branches for the `main` branch of critical model and dataset repositories to require reviews before any changes are merged. 3. **Review CI/CD Configurations**: Scrutinize `Dockerfile` and other CI/CD configuration files in your repositories for any suspicious commands or network activity. 4. **Monitor Repository Events**: Monitor audit logs for unexpected pushes or permission changes to sensitive repositories.
Patch Details
Hugging Face remediated the issue by enhancing the isolation and token scoping of their CI/CD runners.