transformers@4.19.2 vulnerabilities

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the parsing of model files, due to the lack of proper validation of user-supplied data. This is only exploitable if the target visits a malicious page or opens a malicious MaskFormer model file.

Note: The maintainers of this package are not addressing this vulnerability as it is limited to accessory conversion scripts and does not impact core library functions. The need for the attacker to provide a malicious model file which is then converted using the relevant script is considered an unrealistic attack vector. Since mitigation would require the complete removal of these scripts, the issue is not expected to be fixed.

Update: Although still included in the source code, the conversion scripts have been removed from the package's distributable wheels as of version 4.48.0.

Upgrade transformers to version 4.48.0 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the handling of configuration files. This is only exploitable if the target visits a malicious page or opens a malicious MobileViTV2 config file.

Note: The maintainers of this package are not addressing this vulnerability as it is limited to accessory conversion scripts and does not impact core library functions. The need for the attacker to provide a malicious model file which is then converted using the relevant script is considered an unrealistic attack vector. Since mitigation would require the complete removal of these scripts, the issue is not expected to be fixed.

Update: Although still included in the source code, the conversion scripts have been removed from the package's distributable wheels as of version 4.48.0.

Upgrade transformers to version 4.48.0 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the handling of model files, due to the lack of proper validation of user-supplied data. This is only exploitable if the target visits a malicious page or opens a malicious Trax model file.

Note: The maintainers of this package are not addressing this vulnerability as it is limited to accessory conversion scripts and does not impact core library functions. The need for the attacker to provide a malicious model file which is then converted using the relevant script is considered an unrealistic attack vector. Since mitigation would require the complete removal of these scripts, the issue is not expected to be fixed.

Update: Although still included in the source code, the conversion scripts have been removed from the package's distributable wheels as of version 4.48.0.

Upgrade transformers to version 4.48.0 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the load_repo_checkpoint function of the TFPreTrainedModel class. An attacker can execute arbitrary code and commands by crafting a malicious serialized payload, exploiting the use of pickle.load on data from potentially untrusted sources. This vulnerability allows for remote code execution by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine.

Note:

Even if the function calls pickle.load(), which permits remote code execution from an untrusted repo, this function was essentially deprecated and unused code that is not called in any standard workflow, so the attacker would have to induce the user to call this unusual function in addition to preparing a repo with a malicious payload.

Upgrade transformers to version 4.38.0 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Command Injection via the subprocess.Popen calls. This could potentially allow for the execution of arbitrary code.

Note: It appears that while this issue is generally not critical for the library's primary use cases, it can become more significant in specific production environments. Particularly in scenarios where the library interacts with user-generated input, such as in web application backends, desktop applications, and cloud-based ML services, the risk of arbitrary code execution increases.

Upgrade transformers to version 4.37.0 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the index_name and index_path parameters to the RagRetriever.from_pretrained() function. These can be used to load malicious pickle files remotely, bypassing file checks to execute code on the host.

Upgrade transformers to version 4.36.0 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the TransfoXLTokenizer() function, which can be called on a malicious vocab.pkl automatically. An attacker can bypass the import blacklist and other checks to cause such a file to be naively loaded via pickle.load in 3rd party users of an infected model.

Upgrade transformers to version 4.36.0 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Insecure Temporary File due to using the deprecated tempfile.mktemp() function which is not secure because a different process may create a file with this name in the time between the call to mktemp() and the subsequent attempt to create the file by the first process.

Upgrade transformers to version 4.30.0 or higher.