CVE-2024-3568: Transformers RCE — CRITICAL

CISO Take

Any team loading TensorFlow checkpoints with HuggingFace Transformers is exposed to remote code execution — a single malicious checkpoint silently compromises the training machine. Patch immediately and enforce SafeTensors-only checkpoint loading. Audit all checkpoint sources: model hubs, shared drives, and third-party-provided weights are all viable delivery vectors.

What is the risk?

CVSS 9.6 Critical with Changed scope (S:C) — exploitation grants full system compromise beyond the ML process boundary. Low attack complexity and no privileges required makes this trivially weaponizable once a malicious checkpoint is staged. User interaction is the only friction, but loading external checkpoints is standard ML practice, so social engineering is minimal. Exposure is highest in organizations running fine-tuning, transfer learning, or experiment resumption workflows that pull weights from community hubs or shared repositories.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Transformers	pip	—	No patch
161.8K OpenSSF 6.4 8.3K dependents Pushed 4d ago 40% patched ~92d to patch Full package profile →

Do you use Transformers? You're affected.

How severe is it?

CVSS 3.1

9.6 / 10

EPSS

2.1%

chance of exploitation in 30 days

Higher than 79% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Changed

C High

I High

A High

What should I do?

6 steps

Patch: Upgrade to transformers version containing commit 693667b8ac8138b83f8adb6522ddaf42fa07c125.
Migrate to SafeTensors: Enforce use_safetensors=True for all checkpoint loading — SafeTensors eliminates pickle deserialization entirely.
Allowlist checkpoint sources: Restrict load_repo_checkpoint() calls to internal, hash-verified artifact stores. Reject externally sourced .ckpt or .bin files without integrity verification.
Sandbox training jobs: Run training workloads in isolated containers or VMs with no access to production credentials or internal networks.
Detection: Alert on unexpected subprocess spawns, outbound network connections, or file writes outside the working directory during model loading.
Audit: Inventory all training scripts calling load_repo_checkpoint() and review checkpoint provenance.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Model AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0058 - Publish Poisoned Models AML.T0072 - Reverse Shell

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.10.1 - AI system security A.6.2.3 - AI supply chain security

NIST AI RMF

GOVERN 6.2 - AI risk in the supply chain MANAGE 2.2 - Risk treatment for identified AI risks

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-3568?

Any team loading TensorFlow checkpoints with HuggingFace Transformers is exposed to remote code execution — a single malicious checkpoint silently compromises the training machine. Patch immediately and enforce SafeTensors-only checkpoint loading. Audit all checkpoint sources: model hubs, shared drives, and third-party-provided weights are all viable delivery vectors.

Is CVE-2024-3568 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-3568, increasing the risk of exploitation.

How to fix CVE-2024-3568?

1. Patch: Upgrade to transformers version containing commit 693667b8ac8138b83f8adb6522ddaf42fa07c125. 2. Migrate to SafeTensors: Enforce `use_safetensors=True` for all checkpoint loading — SafeTensors eliminates pickle deserialization entirely. 3. Allowlist checkpoint sources: Restrict `load_repo_checkpoint()` calls to internal, hash-verified artifact stores. Reject externally sourced `.ckpt` or `.bin` files without integrity verification. 4. Sandbox training jobs: Run training workloads in isolated containers or VMs with no access to production credentials or internal networks. 5. Detection: Alert on unexpected subprocess spawns, outbound network connections, or file writes outside the working directory during model loading. 6. Audit: Inventory all training scripts calling `load_repo_checkpoint()` and review checkpoint provenance.

What systems are affected by CVE-2024-3568?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model fine-tuning workflows, MLOps pipelines, transfer learning infrastructure, model serving (checkpoint loading at startup).

What is the CVSS score for CVE-2024-3568?

CVE-2024-3568 has a CVSS v3.1 base score of 9.6 (CRITICAL). The EPSS exploitation probability is 2.07%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel fine-tuning workflowsMLOps pipelinestransfer learning infrastructuremodel serving (checkpoint loading at startup)

MITRE ATLAS Techniques

AML.T0010.003 Model

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0058 Publish Poisoned Models

AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.10.1, A.6.2.3

NIST AI RMF: GOVERN 6.2, MANAGE 2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_repo_checkpoint()` function of the `TFPreTrainedModel()` class. Attackers can execute arbitrary code and commands by crafting a malicious serialized payload, exploiting the use of `pickle.load()` on data from potentially untrusted sources. This vulnerability allows for remote code execution (RCE) by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine.

Exploitation Scenario

An adversary crafts a malicious TensorFlow checkpoint that embeds a Python pickle payload executing a reverse shell or credential harvester. They publish it to HuggingFace Hub under a convincing model name (e.g., 'bert-base-uncased-finetuned-v2') or share it directly with the target team as a pretrained baseline. A data scientist resumes training or runs a fine-tuning script that calls `load_repo_checkpoint()` — the moment the checkpoint loads, the pickle payload executes with the training process's privileges, establishing attacker control over the GPU workstation or cloud training node, exfiltrating AWS/GCP credentials from the environment, and potentially pivoting to the ML platform's model registry or data lake.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.