CVE-2024-3568 PoC — Arbitrary Code Execution via Deserialization in huggingface/transformers

Source

https://github.com/rooobeam/Pickle-Deserialization-Exploit-in-Transformers

Associated Vulnerability

Title:Arbitrary Code Execution via Deserialization in huggingface/transformers (CVE-2024-3568)
Description:The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_repo_checkpoint()` function of the `TFPreTrainedModel()` class. Attackers can execute arbitrary code and commands by crafting a malicious serialized payload, exploiting the use of `pickle.load()` on data from potentially untrusted sources. This vulnerability allows for remote code execution (RCE) by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine.

Description

This study analyzes Python pickle deserialization vulnerabilities, focusing on CVE-2024-3568 in Hugging Face Transformers' TFAutoModel. We reproduce the exploit to examine its root cause, attack vectors, and risks.

Readme

# Transformers 中的 pickle 反序列化漏洞利用

## 实验简介
介绍pickle 反序列化机制及其__reduce__攻击原理，复现 Hugging Face Transformers 库中的反序列化漏洞[CVE-2024-3568](https://github.com/llm-sec/transformer-hacker/tree/main/docs/CVE-2024-3568)，分析 Transformers 库中的安全隐患并提出安全加固的有效方案。**详细内容参见实验PDF文档**。

（poc作者代码详见[CVE-2024-3568](https://github.com/llm-sec/transformer-hacker)或者**author_inf**文件夹）

## 关键信息
1. **漏洞位置**
`TFAutoModel.load_repo_checkpoint()` 方法（Transformers ≤ v4.37.2）

2. **攻击原理**
恶意检查点中的 `extra_data.pickle` 文件通过 `pickle.load()` 反序列化时触发RCE

3. **影响范围**
- Transformers 库 ≤ v4.37.2
- 使用检查点恢复功能的AI应用

## 环境配置
```bash
# 详细配置说明见实验PDF
pip install transformers==4.37.2 tensorflow
git clone https://github.com/llm-sec/transformer-hacker
```

## pickle 反序列化机制

详见PDF文档。

test.py、test2.py涉及原理分析（由AI问小白辅助，感谢技术突破带来的生产力提升）。

## 漏洞复现

1. **恶意检查点生成**
（具体命令见PDF文档）

2. **漏洞触发**
（代码示例见PDF文档）

3. **攻击验证**
（验证方法见PDF文档）

## 防御方案
1. **升级Transformers至≥v4.38.0**
2. **禁用`load_repo_checkpoint()`方法**
3. **实施检查点文件校验**

> **详细技术分析**：
> 完整漏洞原理、利用过程和防御策略请参考实验PDF文档
> **POC实现**：poc作者代码详见[CVE-2024-3568](https://github.com/llm-sec/transformer-hacker)或者**author_inf**文件夹

File Snapshot


 [4.0K]  /data/pocs/1eb37f2e863096cdf7db6a31b6244a074516372a
├── [4.0K]  author_inf
│   ├── [4.0K]  CVE-2024-3568
│   │   ├── [4.0K]  README.assets
│   │   │   ├── [208K]  image-20241020130104077.png
│   │   │   ├── [987K]  image-20241020130441654.png
│   │   │   └── [ 21K]  image-20241020130557014.png
│   │   └── [ 12K]  README.md
│   └── [1.8K]  README.md
├── [1.0K]  LICENSE
├── [1.0K]  main.py
├── [ 610]  poc.py
├── [1.7K]  README.md
├── [ 820]  setup.py
├── [4.0K]  src
│   ├── [   0]  __init__.py
│   ├── [4.0K]  payload
│   │   ├── [4.0K]  CVE_2024_3568
│   │   │   ├── [   0]  __init__.py
│   │   │   ├── [4.6K]  payload_generator.py
│   │   │   ├── [ 802]  poc.py
│   │   │   └── [4.0K]  __pycache__
│   │   │       ├── [ 180]  __init__.cpython-38.pyc
│   │   │       └── [4.4K]  payload_generator.cpython-38.pyc
│   │   ├── [   0]  __init__.py
│   │   └── [4.0K]  __pycache__
│   │       └── [ 166]  __init__.cpython-38.pyc
│   ├── [4.0K]  __pycache__
│   │   └── [ 158]  __init__.cpython-38.pyc
│   └── [4.0K]  utils
│       ├── [ 582]  command_util.py
│       ├── [ 318]  file_util.py
│       ├── [   0]  __init__.py
│       └── [4.0K]  __pycache__
│           ├── [ 737]  command_util.cpython-38.pyc
│           ├── [ 559]  file_util.cpython-38.pyc
│           └── [ 164]  __init__.cpython-38.pyc
├── [ 344]  test2.py
├── [ 229]  test.py
└── [3.6M]  Transformers中pickle反序列化漏洞利用.pdf

11 directories, 28 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!