CVE-2024-3568
Arbitrary Code Execution vulnerability in transformers (PyPI)
What is CVE-2024-3568 About?
The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data in `load_repo_checkpoint()`. Attackers can execute arbitrary commands on a target machine by crafting a malicious serialized payload. This is a critical vulnerability as it leads to remote code execution (RCE) with relatively moderate effort from an attacker.
Affected Software
Technical Details
The huggingface/transformers library, specifically within the load_repo_checkpoint() function of the TFPreTrainedModel() class, is vulnerable to arbitrary code execution via unsafe deserialization. The function utilizes pickle.load() to process data from potentially untrusted sources. An attacker can craft a malicious serialized Python object (a 'pickle payload') that, when deserialized by pickle.load(), will execute arbitrary Python code. This payload can be embedded within a seemingly harmless checkpoint file. If a victim loads this malicious checkpoint during a normal training or evaluation process, the embedded code will be executed on their machine, leading to remote code execution.
What is the Impact of CVE-2024-3568?
Successful exploitation may allow attackers to execute arbitrary code with the privileges of the user running the application, leading to full system compromise, data theft, or denial of service.
What is the Exploitability of CVE-2024-3568?
Exploitation involves a moderate level of complexity. An attacker needs to craft a malicious serialized payload and distribute it as a checkpoint file. The primary prerequisite is that a victim must load this specially crafted checkpoint file using the vulnerable function. There are no authentication or direct privilege requirements for the deserialization itself once the checkpoint is loaded. However, convincing a user to load an untrusted checkpoint often involves social engineering or compromising a legitimate source. This is generally a remote code execution scenario if the checkpoint is downloaded from an untrusted source. Risk factors include environments where users frequently load models from various sources, especially those that are not thoroughly vetted or are publicly accessible.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| rooobeam | Link | This study analyzes Python pickle deserialization vulnerabilities, focusing on CVE-2024-3568 in Hugging Face Transformers' TFAutoModel. We reproduce the exploit to examine its root cause, attack... |
What are the Available Fixes for CVE-2024-3568?
Available Upgrade Options
- transformers
- <4.38.0 → Upgrade to 4.38.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-37q5-v5qm-c9v8
- https://huntr.com/bounties/b3c36992-5264-4d7f-9906-a996efafba8f
- https://github.com/huggingface/transformers/commit/693667b8ac8138b83f8adb6522ddaf42fa07c125
- https://github.com/huggingface/transformers/commit/693667b8ac8138b83f8adb6522ddaf42fa07c125
- https://huntr.com/bounties/b3c36992-5264-4d7f-9906-a996efafba8f
- https://nvd.nist.gov/vuln/detail/CVE-2024-3568
- https://github.com/huggingface/transformers
What are Similar Vulnerabilities to CVE-2024-3568?
Similar Vulnerabilities: CVE-2024-37055 , CVE-2024-37052 , CVE-2023-25136 , CVE-2023-5356 , CVE-2022-29241
