Hugging Face Transformers LightGlue Model Trust Boundary Bypass Leading to Remote Code Execution Vulnerability

A vulnerability exists in the LightGlue model loading process of Hugging Face Transformers version 5.2.0. It allows an attacker-controlled model repository to execute arbitrary code during model initialization. This issue arises because the 'trust_remote_code' parameter, designed to prevent remote code execution, is overridden by untrusted serialized configuration data from the model's 'config.json' file. When a LightGlue model is loaded with 'trust_remote_code=False', the configuration file can still inject a 'trust_remote_code=True' value, which is then used to execute attacker-provided Python modules. This vulnerability is particularly concerning for environments such as API inference servers, research notebooks, CI/CD pipelines, and model evaluation workers, where it could lead to credential theft, unauthorized access to other services, or the deployment of backdoors.

Impact

Exploitation of this vulnerability allows for arbitrary code execution during the initialization of the affected model, bypassing user-specified trust settings. This could result in the execution of malicious code in the context of the application using the model, potentially leading to unauthorized access, data manipulation, or other malicious actions depending on the nature of the executed code.

Reproduction

To reproduce this vulnerability, load a LightGlue model from an attacker-controlled repository using the 'AutoModel.from_pretrained()' method. Set the 'trust_remote_code' parameter to 'False'. The model will initialize normally, but the untrusted 'config.json' data will override the trust setting, allowing for remote code execution.

Remediation

Users can update to Hugging Face Transformers version 5.9.0 or later, where this vulnerability has been fixed.