Hugging Face Hub CI/CD Takeover via Maliciously Crafted `config.json`
Overview
A critical command injection vulnerability was discovered in the `huggingface-hub` library that allowed attackers to achieve remote code execution (RCE) on systems that clone model repositories. The flaw existed in the library's handling of the `config.json` file within model repositories. This file can contain a `_target_` key, which specifies a Python class to be instantiated. Researchers found that by crafting a malicious `config.json` with a specific `_target_` path pointing to a class that executes shell commands (e.g., `os.system`), they could trigger arbitrary code execution. The attack vector was particularly dangerous for CI/CD pipelines and automated MLOps workflows. When such a system cloned a malicious model from the Hugging Face Hub using a vulnerable version of the library, the payload in `config.json` would execute on the CI runner. This could lead to a complete takeover of the build environment, allowing attackers to steal cloud credentials, API keys, private training data, or poison the model build process to create a malicious model artifact. The vulnerability exposed the risk of trusting metadata files within ML repositories and demonstrated how supply chain attacks could extend beyond package managers to the model hubs that form the backbone of the AI ecosystem.
Affected Systems
Testing Guide
1. Check the installed version of the `huggingface-hub` library in your environment: `pip show huggingface-hub`. 2. If the version is below `0.21.0`, your system is vulnerable. 3. To create a safe PoC, you can create a local model directory with a `config.json` containing a payload that executes a benign command, such as `{"_target_": "os.system", "path": "echo 'PoC successful'"}`. Attempt to load this model using a vulnerable version of the library and observe if the command executes.
Mitigation Steps
1. **Upgrade `huggingface-hub`**: Immediately update the library to version `0.21.0` or later using `pip install --upgrade huggingface-hub`. 2. **Audit CI/CD Pipelines**: Review all CI/CD workflows that interact with the Hugging Face Hub. Ensure they run with the principle of least privilege in isolated, ephemeral environments. 3. **Scan Model Repositories**: Before cloning or using a model from a less-trusted source, inspect its `config.json` file for suspicious `_target_` keys or other potentially unsafe configurations. 4. **Disable Dynamic Instantiation**: If possible, configure applications to avoid dynamically instantiating classes from configuration files loaded from untrusted sources.
Patch Details
Patched in `huggingface-hub` version 0.21.0. The fix involves preventing the dynamic and unsafe instantiation of arbitrary classes specified in the `config.json` file.