Attack Vector and Exploit Mechanism
A critical security issue has been discovered in the Hugging Face Transformers machine learning library, one of the most popular frameworks for artificial intelligence development. The flaw allows attackers to inject malicious code into a model configuration file. When a user loads the compromised model using the standard loading function, the library executes the hidden code without any warning or error. This bypasses the built in security setting designed to prevent remote code execution, creating a silent attack vector.
The vulnerability resides in how the library handles a specific attribute within model configuration files. An attacker can upload a seemingly legitimate model to the Hugging Face Hub that contains this malicious field. When a developer or system downloads and loads this model, the library automatically fetches and runs code from an external source controlled by the attacker. No user interaction beyond normal model loading is required for the exploit to succeed.
Impact and Scope
This vulnerability affects all versions of the Transformers library from versions 4.56.0 through 5.2.x, creating a window of exposure lasting approximately six months. The library is extremely widespread, with over 2.2 billion total installs and roughly 146 million downloads every month. Over one million models are hosted on the Hugging Face Hub, providing a large pool of potential targets and distribution points for attackers.
Successful exploitation gives an attacker full remote access to the compromised system. They can steal sensitive data such as cloud service credentials, encryption keys, and application programming interface tokens. The attacker can also establish persistent access, move laterally across a network, and target development pipelines or other critical infrastructure. Because the malicious code executes during a routine model loading process without any visible indicators, detection is exceptionally difficult for standard monitoring tools.
Source: Cyber Security News
