Server-Side Request Forgery (SSRF) in Hugging Face Hub via Malicious Model Upload
Overview
A high-severity Server-Side Request Forgery (SSRF) vulnerability was discovered in the Hugging Face Hub platform. The vulnerability was triggered when the platform's backend services attempted to load and inspect a user-uploaded model that was crafted in a malicious manner. The exploit targeted a model conversion service that could be manipulated through a specially formatted model configuration file. By embedding a URL pointing to an internal IP address within the model's metadata, an attacker could trick the backend service into making arbitrary HTTP requests on their behalf to services within Hugging Face's internal network. Researchers demonstrated that this could be used to probe internal network endpoints and, in some cases, access the cloud provider's instance metadata service (e.g., the EC2 metadata endpoint at 169.254.169.254). Accessing this service could allow an attacker to exfiltrate temporary IAM credentials associated with the underlying compute instance, potentially granting them access to other cloud resources like S3 buckets. The vulnerability was reported responsibly through Hugging Face's bug bounty program and highlights the risks of processing complex, user-submitted files in a shared cloud environment.
Affected Systems
Testing Guide
This vulnerability cannot be tested by external users as it required exploiting a backend process on the Hugging Face Hub platform. The platform's security team has confirmed the patch by running regression tests against the original exploit.
Mitigation Steps
1. **User Action**: No direct user action is required, as the vulnerability was in the Hugging Face backend. However, users should prefer using the `safetensors` format over `pickle` for security. 2. **Platform-Side Fixes**: Hugging Face implemented strict egress filtering on their model processing workers, blocking requests to internal IP ranges and metadata services. 3. **Input Validation**: All user-provided configuration files and model metadata now undergo rigorous validation and sanitization to remove potentially malicious directives. 4. **Sandboxing**: The model loading environment was further hardened and isolated from the rest of the production network.
Patch Details
The vulnerability was patched by the Hugging Face security team on their backend infrastructure within hours of being reported. No user-facing services were directly impacted.