transformers@4.28.1 vulnerabilities

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the load_repo_checkpoint function of the TFPreTrainedModel class. An attacker can execute arbitrary code and commands by crafting a malicious serialized payload, exploiting the use of pickle.load on data from potentially untrusted sources. This vulnerability allows for remote code execution by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine.

Note:

Even if the function calls pickle.load(), which permits remote code execution from an untrusted repo, this function was essentially deprecated and unused code that is not called in any standard workflow, so the attacker would have to induce the user to call this unusual function in addition to preparing a repo with a malicious payload.

Upgrade transformers to version 4.38.0 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Command Injection via the subprocess.Popen calls. This could potentially allow for the execution of arbitrary code.

Note: It appears that while this issue is generally not critical for the library's primary use cases, it can become more significant in specific production environments. Particularly in scenarios where the library interacts with user-generated input, such as in web application backends, desktop applications, and cloud-based ML services, the risk of arbitrary code execution increases.

Upgrade transformers to version 4.37.0 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the index_name and index_path parameters to the RagRetriever.from_pretrained() function. These can be used to load malicious pickle files remotely, bypassing file checks to execute code on the host.

Upgrade transformers to version 4.36.0 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the TransfoXLTokenizer() function, which can be called on a malicious vocab.pkl automatically. An attacker can bypass the import blacklist and other checks to cause such a file to be naively loaded via pickle.load in 3rd party users of an infected model.

Upgrade transformers to version 4.36.0 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Insecure Temporary File due to using the deprecated tempfile.mktemp() function which is not secure because a different process may create a file with this name in the time between the call to mktemp() and the subsequent attempt to create the file by the first process.

Upgrade transformers to version 4.30.0 or higher.