AI Threat Alert AI Threat Alert

CVE-2024-3568: HuggingFace Transformers: RCE via pickle deserialization

CRITICAL PoC AVAILABLE
Published April 10, 2024
CISO Take

Any team loading TensorFlow checkpoints with HuggingFace Transformers is exposed to remote code execution — a single malicious checkpoint silently compromises the training machine. Patch immediately and enforce SafeTensors-only checkpoint loading. Audit all checkpoint sources: model hubs, shared drives, and third-party-provided weights are all viable delivery vectors.

Risk Assessment

CVSS 9.6 Critical with Changed scope (S:C) — exploitation grants full system compromise beyond the ML process boundary. Low attack complexity and no privileges required makes this trivially weaponizable once a malicious checkpoint is staged. User interaction is the only friction, but loading external checkpoints is standard ML practice, so social engineering is minimal. Exposure is highest in organizations running fine-tuning, transfer learning, or experiment resumption workflows that pull weights from community hubs or shared repositories.

Affected Systems

Package Ecosystem Vulnerable Range Patched
transformers pip No patch
160.2K OpenSSF 4.9 7.8K dependents Pushed 7d ago 39% patched ~101d to patch Full package profile →

Do you use transformers? You're affected.

Severity & Risk

CVSS 3.1
9.6 / 10
EPSS
24.4%
chance of exploitation in 30 days
Higher than 96% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
EPSS exploit prediction: 24%
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Changed
C High
I High
A High

Recommended Action

6 steps

  1. Patch: Upgrade to transformers version containing commit 693667b8ac8138b83f8adb6522ddaf42fa07c125.

  2. Migrate to SafeTensors: Enforce use_safetensors=True for all checkpoint loading — SafeTensors eliminates pickle deserialization entirely.

  3. Allowlist checkpoint sources: Restrict load_repo_checkpoint() calls to internal, hash-verified artifact stores. Reject externally sourced .ckpt or .bin files without integrity verification.

  4. Sandbox training jobs: Run training workloads in isolated containers or VMs with no access to production credentials or internal networks.

  5. Detection: Alert on unexpected subprocess spawns, outbound network connections, or file writes outside the working directory during model loading.

  6. Audit: Inventory all training scripts calling load_repo_checkpoint() and review checkpoint provenance.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Model AML.T0010.003 AML.T0011.000 AML.T0018.002 AML.T0058 AML.T0072

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.10.1 - AI system security A.6.2.3 - AI supply chain security
NIST AI RMF
GOVERN 6.2 - AI risk in the supply chain MANAGE 2.2 - Risk treatment for identified AI risks
OWASP LLM Top 10
LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-3568?

Any team loading TensorFlow checkpoints with HuggingFace Transformers is exposed to remote code execution — a single malicious checkpoint silently compromises the training machine. Patch immediately and enforce SafeTensors-only checkpoint loading. Audit all checkpoint sources: model hubs, shared drives, and third-party-provided weights are all viable delivery vectors.

Is CVE-2024-3568 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-3568, increasing the risk of exploitation.

How to fix CVE-2024-3568?

1. Patch: Upgrade to transformers version containing commit 693667b8ac8138b83f8adb6522ddaf42fa07c125. 2. Migrate to SafeTensors: Enforce `use_safetensors=True` for all checkpoint loading — SafeTensors eliminates pickle deserialization entirely. 3. Allowlist checkpoint sources: Restrict `load_repo_checkpoint()` calls to internal, hash-verified artifact stores. Reject externally sourced `.ckpt` or `.bin` files without integrity verification. 4. Sandbox training jobs: Run training workloads in isolated containers or VMs with no access to production credentials or internal networks. 5. Detection: Alert on unexpected subprocess spawns, outbound network connections, or file writes outside the working directory during model loading. 6. Audit: Inventory all training scripts calling `load_repo_checkpoint()` and review checkpoint provenance.

What systems are affected by CVE-2024-3568?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model fine-tuning workflows, MLOps pipelines, transfer learning infrastructure, model serving (checkpoint loading at startup).

What is the CVSS score for CVE-2024-3568?

CVE-2024-3568 has a CVSS v3.1 base score of 9.6 (CRITICAL). The EPSS exploitation probability is 24.43%.

Technical Details

NVD Description

The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_repo_checkpoint()` function of the `TFPreTrainedModel()` class. Attackers can execute arbitrary code and commands by crafting a malicious serialized payload, exploiting the use of `pickle.load()` on data from potentially untrusted sources. This vulnerability allows for remote code execution (RCE) by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine.

Exploitation Scenario

An adversary crafts a malicious TensorFlow checkpoint that embeds a Python pickle payload executing a reverse shell or credential harvester. They publish it to HuggingFace Hub under a convincing model name (e.g., 'bert-base-uncased-finetuned-v2') or share it directly with the target team as a pretrained baseline. A data scientist resumes training or runs a fine-tuning script that calls `load_repo_checkpoint()` — the moment the checkpoint loads, the pickle payload executes with the training process's privileges, establishing attacker control over the GPU workstation or cloud training node, exfiltrating AWS/GCP credentials from the environment, and potentially pivoting to the ML platform's model registry or data lake.

Weaknesses (CWE)

CWE-502

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Timeline

Published
April 10, 2024
Last Modified
October 10, 2025
First Seen
April 10, 2024

Related Vulnerabilities

HIGH CVE-2024-11393 8.8

Transformers: RCE via MaskFormer model deserialization

Same package: transformers
HIGH CVE-2024-11394 8.8

Transformers: RCE via Trax model deserialization

Same package: transformers
HIGH CVE-2023-6730 8.8

HuggingFace Transformers: RCE via unsafe deserialization

Same package: transformers
HIGH CVE-2024-11392 8.8

HuggingFace Transformers: RCE via config deserialization

Same package: transformers
HIGH CVE-2023-7018 7.8

Transformers: unsafe deserialization enables RCE on load

Same package: transformers
Back to Threat Feed