Hugging Face Hub CI/CD Misconfiguration Allows Malicious Pull Request to Steal Secrets and Compromise Repositories
Overview
A critical infrastructure vulnerability, CVE-2024-28105, was identified in the Hugging Face Hub's CI/CD environment. The flaw originated from how CI runners handled secrets and permissions for pull requests submitted from forked repositories. An attacker could fork a public model or dataset repository, add a malicious workflow file (e.g., in `.github/workflows/`), and submit a pull request back to the original repository. Due to a misconfiguration, the CI pipeline would trigger on the pull request and execute the attacker's code within a trusted context. This malicious code could then access repository secrets, most notably the `HF_TOKEN`. This token often possessed write permissions to all of the victim's repositories. By exfiltrating this token, an attacker could gain complete control over the victim's Hugging Face account, enabling them to modify or poison popular models, delete datasets, or inject malicious code into model source files. This presented a severe supply chain risk, as millions of downstream users could unknowingly pull and execute a compromised model. The vulnerability was discovered by researchers at Wiz, who demonstrated its potential for widespread impact across the open-source AI ecosystem.
Affected Systems
Testing Guide
1. **Review CI Logs**: Check historical CI/CD logs for pull requests from forks, especially any that had suspicious workflow changes or failed in unexpected ways. 2. **Create a Test PR (Post-Mortem)**: On a non-critical repository, create a fork and a pull request with a workflow that attempts to `echo $HF_TOKEN` (or similar environment variable). In a vulnerable system, this might expose the secret. Note: Do not test this on public repositories you do not own. 3. **Audit Token Permissions**: Navigate to your Hugging Face account settings and review the permissions of all active tokens. Revoke any with overly broad permissions.
Mitigation Steps
1. **Rotate Hugging Face Tokens**: Immediately revoke all existing `HF_TOKEN`s associated with your account and generate new ones. 2. **Audit Pull Requests**: Do not merge pull requests from untrusted sources without carefully reviewing any changes to CI/CD configuration files (e.g., `.github/workflows`). 3. **Use Fine-Grained Tokens**: Wherever possible, use fine-grained access tokens with the minimum required scopes instead of legacy write-permission tokens. 4. **Monitor Repository Activity**: Regularly monitor for unexpected commits or changes to your models and datasets.
Patch Details
Hugging Face reconfigured their CI/CD infrastructure to prevent workflows from forked pull requests from accessing secrets, effectively neutralizing the attack vector.