Hugging Face Transformers Library Arbitrary Code Execution Vulnerability in Trainer Class

A vulnerability exists in the Hugging Face Transformers library within the Trainer class, allowing arbitrary code execution. The issue arises because the _load_rng_state() method in trainer.py line 3059 calls torch.load() without the weights_only=True parameter. This vulnerability affects all versions of the library that support torch version 2.2 or higher, when used with PyTorch versions prior to 2.6. In these earlier PyTorch versions, the safe_globals() context manager does not provide adequate protection, leaving the torch.load() call vulnerable to pickle deserialization attacks. An attacker can exploit this by providing a malicious checkpoint file, such as rng_state.pth, which executes arbitrary code upon being loaded. The vulnerability has been fixed in version 5.0.0rc3.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the system where the affected library is used.

Reproduction

The vulnerability can be reproduced by using Hugging Face Transformers with PyTorch versions 2.2, 2.3, 2.4, or 2.5. Load a malicious checkpoint file that has been crafted to execute code when deserialized. This can be done by creating a file that, when loaded with torch.load(), executes a payload, such as writing to a file or executing a command.

Remediation

Users should update to Hugging Face Transformers version 5.0.0rc3 or later, where this vulnerability has been fixed.