Hugging Face Diffusers Trust Remote Code Bypass Vulnerability in Diffusion Pipeline

A trust remote code execution vulnerability has been identified in the Hugging Face Diffusers library, specifically in versions prior to 0.38.0. The issue arises in the DiffusionPipeline.from_pretrained method, where the trust_remote_code parameter is not properly enforced. Despite users setting trust_remote_code to False or leaving it at the default, arbitrary remote code execution is still possible. This vulnerability has three variants, all stemming from the same root cause: the trust_remote_code check was implemented in the download method instead of at the dynamic module loading site. As a result, any code path that bypassed or short-circuited the download method also circumvented the security check.

Impact

Exploitation of this vulnerability allows for silent remote code execution on the user's machine. Anyone using the DiffusionPipeline.from_pretrained method with custom pipelines is affected.

Reproduction

To reproduce this vulnerability, use the DiffusionPipeline.from_pretrained method with a custom_pipeline argument pointing to a repository that contains malicious code. The trust_remote_code parameter should be set to False. Alternatively, a local snapshot can be used that references custom component files containing executable code.

Remediation

Users should upgrade to Diffusers version 0.38.0, where this vulnerability has been fixed. If an immediate upgrade is not possible, only use the from_pretrained method with trusted sources and inspect local snapshots for unexpected Python files.