CRITICAL Patch Available

Hugging Face Inference Infrastructure Compromise via Malicious Model with `trust_remote_code=True`

Discovered 8 September 2025 0 views

Overview

Security researchers demonstrated a supply chain attack leading to a widespread compromise of cloud-based AI model serving infrastructure. The attack involved uploading a seemingly benign but malicious model to the Hugging Face Hub. The model's repository included a custom Python script in its modeling file and a `config.json` file with the `trust_remote_code=True` flag set. When users or automated systems (like Hugging Face's own Inference API or other MLOps platforms) loaded this model for inference, the `transformers` library would automatically download and execute the malicious script. The script was designed to establish a reverse shell, exfiltrate API keys and environment variables from the inference server, and traverse the internal network. This allowed the attackers to gain a foothold in the shared infrastructure, potentially accessing data and requests from other tenants using the same hardware. The incident underscored the significant risk of the `trust_remote_code` feature, which, while powerful for research, creates a critical security vulnerability if not handled with extreme caution. It served as a major wake-up call for the MLOps community to prioritize sandboxing and code attestation for models sourced from public hubs.

Affected Systems

Hugging Face HubHugging Face Transformers < 4.45.0AWS SageMakerGCP Vertex AIAny system loading models from public hubs with remote code enabled

Testing Guide

1. In your codebase, search for all instances of `from_pretrained` or similar model-loading functions. 2. Check if the `trust_remote_code=True` argument is present. If it is, you are potentially vulnerable. 3. To simulate, create a private model on Hugging Face with a `modeling.py` file containing `import os; os.system('echo vulnerable > /tmp/test')` and set `trust_remote_code=True` in `config.json`. 4. Load the model in a test environment and check if the `/tmp/test` file is created.

Mitigation Steps

1. **Never use `trust_remote_code=True`** in production environments or with models from untrusted sources. Always explicitly set it to `False`. 2. **Code Review**: Manually review all code in a model's repository before loading it, especially if remote code execution is required. 3. **Use Sandboxed Environments**: Run model inference in tightly controlled, isolated environments (e.g., gVisor, Kata Containers) with strict network egress policies. 4. **Update Transformers Library**: Ensure you are using a version of `transformers` that includes enhanced warnings and safety checks for remote code execution.

Patch Details

Hugging Face implemented enhanced scanning for malicious code in repositories and more prominent warnings on models that require `trust_remote_code`. The `transformers` library added configuration options to disable this feature globally.

Sources

← Back to vulnerabilities