A vulnerability in the HuggingFace Transformers library, specifically in the Trainer class, allows for arbitrary code execution. The _load_rng_state() method in src/transformers/trainer.py at line 3059 calls torch.load() without the weights_only=True parameter. This issue affects all versions of the library supporting torch>=2.2 when used with PyTorch versions below 2.6, as the safe_globals() context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as rng_state.pth, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3.
Weakness
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Transformers | Huggingface | * | 5.0.0 (excluding) |
| Transformers | Huggingface | 5.0.0-rc0 (including) | 5.0.0-rc0 (including) |
| Transformers | Huggingface | 5.0.0-rc1 (including) | 5.0.0-rc1 (including) |
| Transformers | Huggingface | 5.0.0-rc2 (including) | 5.0.0-rc2 (including) |
Potential Mitigations
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.