Remote Code Execution in Hugging Face Transformers via Poisoned Safetensors Metadata
Overview
A critical vulnerability was discovered in the Hugging Face Transformers library allowing for remote code execution through maliciously crafted `safetensors` model files. While the `safetensors` format was designed to prevent arbitrary code execution common with Python's `pickle` format, this vulnerability resided in the parsing of the model's configuration file (`config.json`) that accompanies the tensor weights. Attackers could embed a specially crafted `auto_map` dictionary within the `config.json`. When a victim loaded the model using a `AutoModel.from_pretrained()` call, the library would dynamically load a specified remote Python file, believing it to be a legitimate, trusted component of the model architecture. This remote file, controlled by the attacker, contained malicious code that executed with the privileges of the user running the model loading script. This supply chain attack proved highly effective as it bypassed existing `safetensors`-based security checks. The incident was discovered by security researchers at Trail of Bits who identified several malicious models on the Hugging Face Hub that exploited this flaw to install crypto-miners and exfiltrate environment variables, including cloud provider credentials and API keys from developer machines and CI/CD pipelines.
Affected Systems
Testing Guide
1. Check your installed `transformers` version: `pip show transformers`. 2. Create a test Python script with the following code: `from transformers import AutoModel; AutoModel.from_pretrained('malicious-repo/model-name')` where the specified model is a known malicious one (use a safe, purpose-built PoC model). 3. Run the script in a containerized environment with a network listener like `netcat`. 4. If the script attempts to make outbound connections or execute unexpected system commands, your environment is vulnerable.
Mitigation Steps
1. Update the `transformers` library to version `4.42.0` or later immediately: `pip install --upgrade transformers`. 2. When loading models from untrusted sources, always use the `trust_remote_code=False` flag in `from_pretrained` calls, which is now the default in patched versions. 3. Implement a model scanning pipeline to inspect `config.json` files for suspicious entries like `auto_map` or remote import paths before loading. 4. Run model inference and training in sandboxed, network-restricted environments (e.g., gVisor, Kata Containers) to limit the impact of a potential compromise.
Patch Details
Patched in Transformers version 4.42.0 by making `trust_remote_code=False` the default and adding stricter validation for configuration files.