Description
The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_repo_checkpoint()` function of the `TFPreTrainedModel()` class. Attackers can execute arbitrary code and commands by crafting a malicious serialized payload, exploiting the use of `pickle.load()` on data from potentially untrusted sources. This vulnerability allows for remote code execution (RCE) by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine.
INFO
Published Date :
2024-04-10T17:07:55.667Z
Last Modified :
2024-08-01T20:12:07.859Z
Source :
@huntr_ai
AFFECTED PRODUCTS
The following products are affected by CVE-2024-3568 vulnerability.
| Vendors | Products |
|---|---|
| Huggingface |
|
REFERENCES
Here, you will find a curated list of external links that provide in-depth information to CVE-2024-3568.