Hugging Face Transformers Remote Code Execution Vulnerability

A critical remote code execution vulnerability exists in all versions of the Hugging Face Transformers library prior to 5.3.0. This vulnerability allows an attacker to inject a malicious `config.json` file with the `_attn_implementation_internal` field pointing to an attacker-controlled Hugging Face Hub repository. When the model is loaded using the `AutoModelForCausalLM.from_pretrained()` API, the library downloads and executes arbitrary Python code from the attacker's repository with the victim's full operating system privileges. The issue stems from unfiltered deserialization of configuration attributes, inadequate sanitization of internal fields, and unsandboxed execution of downloaded kernels. Notably, this vulnerability bypasses the `trust_remote_code` security mechanism, goes unnoticed by the victim, and exploits a standard usage pattern, making it particularly severe.

Impact

Exploitation of this vulnerability leads to arbitrary code execution on the victim's machine with full user privileges. This allows attackers to read and exfiltrate sensitive files such as SSH keys, cloud credentials, and database connection strings, as well as to execute network requests to external servers. In a corporate environment, this could result in lateral movement through the network using stolen credentials, compromising CI/CD pipelines, and even achieving full machine compromise by installing malware or backdoors.

Reproduction

To reproduce this vulnerability, an attacker must first create a Hugging Face Hub repository containing a malicious kernel, which is a Python package with a harmful `__init__.py` file. The attacker then creates a model repository that includes a `config.json` file injecting the kernel repository ID into the `_attn_implementation_internal` field. When a victim loads the model using the `AutoModelForCausalLM.from_pretrained()` method without the `trust_remote_code` flag, the vulnerability is triggered. The `configuration_utils.py` file deserializes the `config.json`, executing the injected code from the kernel repository with the victim's OS privileges.

Remediation

Users are advised to upgrade to version 5.3.0 or later.