transformers@4.3.0rc1 vulnerabilities

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Arbitrary Code Injection via the convert_config function. An attacker can execute arbitrary code by supplying a malicious checkpoint file that is processed without proper validation.

Note:

The report of this vulnerability was rejected by the package's maintainers. See the project's security policy for more information.

There is no fixed version for transformers.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the parsing process of model files. An attacker can execute arbitrary code in the context of the current user by tricking a user into opening a malicious file or visiting a malicious page that triggers deserialization of untrusted data.

Note:

The report of this vulnerability was rejected by the package's maintainers. See the project's security policy for more information.

There is no fixed version for transformers.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the megatron_gpt2 process. An attacker can achieve arbitrary code execution by tricking a user into opening a malicious file or visiting a crafted page that triggers deserialization of untrusted data.

Note:

The report of this vulnerability was rejected by the package's maintainers for being out of scope for the bug bounty program. See the project's security policy for more information.

There is no fixed version for transformers.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the parsing of model files. An attacker can execute arbitrary code by tricking a user into opening a specially crafted model file.

Note:

The vendor closed the case as a duplicate of another report.

There is no fixed version for transformers.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Arbitrary Code Injection via the convert_config function. An attacker can execute arbitrary code by supplying a crafted checkpoint file that is processed without proper validation.

Note:

The report of this vulnerability was rejected by the package's maintainers for being out of scope for the bug bounty program. See the project's security policy for more information.

There is no fixed version for transformers.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the parsing of checkpoints. An attacker can achieve arbitrary code execution by tricking a user into opening a malicious checkpoint file.

Note:

The report of this vulnerability was rejected by the package's maintainers for being out of scope for the bug bounty program. See the project's security policy for more information.

There is no fixed version for transformers.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the parsing of weights. An attacker can execute arbitrary code by tricking a user into visiting a malicious page or opening a malicious file that triggers deserialization of untrusted data.

Note:

The report of this vulnerability was rejected by the package's maintainers for being out of scope for the bug bounty program. See the project's security policy for more information.

There is no fixed version for transformers.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the _do_use_weight_decay function. An attacker can cause excessive CPU consumption and make services unresponsive by supplying malicious regular expressions in the include_in_weight_decay or exclude_from_weight_decay lists.

Upgrade transformers to version 4.53.0 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the normalize_numbers function of the EnglishNormalizer class. An attacker can cause excessive CPU consumption and disrupt service availability by submitting specially crafted input strings with long sequences of digits.

Upgrade transformers to version 4.53.0 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the remove_language_code function in the MarianTokenizer class, when handling malformed language code patterns. An attacker can cause excessive CPU consumption and disrupt service availability by submitting specially crafted input strings.

Upgrade transformers to version 4.53.0 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the convert_tf_weight_name_to_pt_weight_name function. An attacker can cause excessive CPU consumption and disrupt service availability by supplying specially crafted input strings that trigger catastrophic backtracking in the regular expression.

Upgrade transformers to version 4.53.0 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the token2json function in the processing_donut module. An attacker can cause high CPU usage and potential application downtime by providing a specially crafted payload.

Upgrade transformers to version 4.52.0 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input via improper handling of user-supplied URLs by using the startswith() method in image_utils.py. An attacker can cause an application to display a seemingly legitimate YouTube link that actually redirects users to a malicious domain by supplying crafted input.

Upgrade transformers to version 4.52.0 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the preprocess_string function in the transformers.testing_utils module. An attacker can cause high CPU usage and potential application downtime by providing a specially crafted payload.

Upgrade transformers to version 4.50.0 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the tokenization_gpt_neox_japanese.py file, within the SubWordJapaneseTokenizer class. The regex is designed to match Japanese price expressions, but because many of its components are optional (?, *), it matches overly broad patterns and exhibits exponential backtracking behavior on crafted inputs which can lead to high CPU usage.

Upgrade transformers to version 4.50.0 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the post_process_single function. An attacker can cause high CPU usage and potential application downtime by supplying specially crafted input that triggers excessive backtracking in the regex processing.

Upgrade transformers to version 4.48.0 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the parsing of model files, due to the lack of proper validation of user-supplied data. This is only exploitable if the target visits a malicious page or opens a malicious MaskFormer model file.

Note: The maintainers of this package are not addressing this vulnerability as it is limited to accessory conversion scripts and does not impact core library functions. The need for the attacker to provide a malicious model file which is then converted using the relevant script is considered an unrealistic attack vector. Since mitigation would require the complete removal of these scripts, the issue is not expected to be fixed.

Update: Although still included in the source code, the conversion scripts have been removed from the package's distributable wheels as of version 4.48.0.

Upgrade transformers to version 4.48.0 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the handling of configuration files. This is only exploitable if the target visits a malicious page or opens a malicious MobileViTV2 config file.

Note: The maintainers of this package are not addressing this vulnerability as it is limited to accessory conversion scripts and does not impact core library functions. The need for the attacker to provide a malicious model file which is then converted using the relevant script is considered an unrealistic attack vector. Since mitigation would require the complete removal of these scripts, the issue is not expected to be fixed.

Update: Although still included in the source code, the conversion scripts have been removed from the package's distributable wheels as of version 4.48.0.

Upgrade transformers to version 4.48.0 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the handling of model files, due to the lack of proper validation of user-supplied data. This is only exploitable if the target visits a malicious page or opens a malicious Trax model file.

Note: The maintainers of this package are not addressing this vulnerability as it is limited to accessory conversion scripts and does not impact core library functions. The need for the attacker to provide a malicious model file which is then converted using the relevant script is considered an unrealistic attack vector. Since mitigation would require the complete removal of these scripts, the issue is not expected to be fixed.

Update: Although still included in the source code, the conversion scripts have been removed from the package's distributable wheels as of version 4.48.0.

Upgrade transformers to version 4.48.0 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the load_repo_checkpoint function of the TFPreTrainedModel class. An attacker can execute arbitrary code and commands by crafting a malicious serialized payload, exploiting the use of pickle.load on data from potentially untrusted sources. This vulnerability allows for remote code execution by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine.

Note:

Even if the function calls pickle.load(), which permits remote code execution from an untrusted repo, this function was essentially deprecated and unused code that is not called in any standard workflow, so the attacker would have to induce the user to call this unusual function in addition to preparing a repo with a malicious payload.

Upgrade transformers to version 4.38.0 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Command Injection via the subprocess.Popen calls. This could potentially allow for the execution of arbitrary code.

Note: It appears that while this issue is generally not critical for the library's primary use cases, it can become more significant in specific production environments. Particularly in scenarios where the library interacts with user-generated input, such as in web application backends, desktop applications, and cloud-based ML services, the risk of arbitrary code execution increases.

Upgrade transformers to version 4.37.0 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the index_name and index_path parameters to the RagRetriever.from_pretrained() function. These can be used to load malicious pickle files remotely, bypassing file checks to execute code on the host.

Upgrade transformers to version 4.36.0 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the TransfoXLTokenizer() function, which can be called on a malicious vocab.pkl automatically. An attacker can bypass the import blacklist and other checks to cause such a file to be naively loaded via pickle.load in 3rd party users of an infected model.

Upgrade transformers to version 4.36.0 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Insecure Temporary File due to using the deprecated tempfile.mktemp() function which is not secure because a different process may create a file with this name in the time between the call to mktemp() and the subsequent attempt to create the file by the first process.

Upgrade transformers to version 4.30.0 or higher.