The Hugging Face Safetensors conversion service, a pivotal part of the popular collaboration platform, is under scrutiny as cybersecurity researchers unveil a potential vulnerability. HiddenLayer’s recent report exposes a method by which attackers could compromise the service, allowing them to manipulate models submitted by users, leading to supply chain attacks. The threat involves sending malicious pull requests with attacker-controlled data, posing a risk of tampering with any repository on the platform and hijacking models submitted through the conversion service.
The vulnerability is rooted in the Safetensors format designed by Hugging Face to enhance security. However, the conversion service itself becomes a potential point of exploitation, with attackers leveraging a malicious PyTorch binary to compromise the system hosting it. The gravity of the issue is underscored by the potential for arbitrary code execution, enabling threat actors to hijack models without any indication to users. This not only poses a risk to individual users but also introduces a significant supply chain threat, as attackers could alter widely used models, emphasizing the urgent need for the Hugging Face community to address and rectify this security concern promptly.
Reference:
