Hugging Face Diffusers Remote Code Execution Vulnerability in Custom Pipeline Loading

A remote code execution vulnerability has been identified in the Hugging Face Diffusers library, specifically in version 0.37.0 prior to 0.38.0. The issue arises when loading pipelines from Hugging Face Hub repositories without the 'trust_remote_code=True' safeguard. The vulnerability is triggered by the '_resolve_custom_pipeline_and_cls' function, which performs string interpolation on the 'custom_pipeline' parameter. When 'custom_pipeline' is not provided, it defaults to 'None', which is interpreted as 'None.py'. If an attacker uploads a repository with a 'None.py' file containing malicious code, it can be executed during a 'DiffusionPipeline.from_pretrained()' call. This vulnerability allows for silent arbitrary code execution by exploiting the custom pipeline loading mechanism.

Impact

Exploitation of this vulnerability leads to silent arbitrary code execution on the system where the vulnerable version of the Diffusers library is used.

Reproduction

To reproduce this vulnerability, upload a model to the Hugging Face Hub that includes a 'None.py' file with a class subclassing 'DiffusionPipeline', along with a 'model_index.json' referencing a standard pipeline class. Then, call 'DiffusionPipeline.from_pretrained()' with the repository name, omitting the 'custom_pipeline' and 'trust_remote_code' arguments. The malicious code will execute silently, demonstrating the remote code execution vulnerability.

Remediation

Users should upgrade to Diffusers version 0.38.0 or later. If an immediate upgrade is not possible, only use 'from_pretrained' with trusted sources and audited repositories.