CVE-2023-2800 Overview
CVE-2023-2800 is an insecure temporary file vulnerability affecting the Huggingface Transformers library prior to version 4.30.0. The vulnerability stems from the use of the deprecated tempfile.mktemp() function, which creates predictable temporary file names that can be exploited in race condition attacks.
Critical Impact
Local attackers with low privileges can exploit predictable temporary file paths to perform symlink attacks or cause denial of service conditions, potentially disrupting machine learning workflows and model operations.
Affected Products
- Huggingface Transformers versions prior to 4.30.0
- Applications and pipelines utilizing vulnerable Transformers library functions
- Machine learning environments downloading models via the Transformers hub utilities
Discovery Timeline
- 2023-05-18 - CVE-2023-2800 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-2800
Vulnerability Analysis
This vulnerability is classified as CWE-377 (Insecure Temporary File). The root issue lies in the src/transformers/utils/hub.py module, which used Python's deprecated tempfile.mktemp() function for creating temporary files during model and resource downloads.
The mktemp() function generates a filename but does not actually create the file, creating a time-of-check to time-of-use (TOCTOU) race condition window. During this gap, an attacker with local access could create a file or symlink at the predicted path before the legitimate application opens it.
This vulnerability requires local access and has high attack complexity, making exploitation non-trivial but still a valid security concern in shared computing environments commonly used for machine learning workloads.
Root Cause
The vulnerability originates from using the deprecated tempfile.mktemp() function instead of secure alternatives. The mktemp() function only returns a filename string without atomically creating the file, leaving the application vulnerable to symlink attacks and race conditions.
Python's official documentation explicitly warns against using mktemp() due to these security implications. The secure alternative is tempfile.mkstemp(), which atomically creates the file with exclusive access, returning both a file descriptor and the path.
Attack Vector
The attack vector is local, requiring the attacker to have low-privilege access to the target system. An attacker could:
- Predict the temporary file path that will be generated by mktemp()
- Create a symlink at that path pointing to a sensitive file or critical resource
- When the Transformers library writes to the "temporary file," data could be redirected or a denial of service condition could occur
" that this is not compatible with the caching system (your file will be downloaded at each execution) or"
" multiple processes (each process will download the file in a different temporary file)."
)
- tmp_file = tempfile.mktemp()
+ tmp_file = tempfile.mkstemp()[1]
with open(tmp_file, "wb") as f:
http_get(url, f, proxies=proxies)
return tmp_file
Source: GitHub Commit Change
Detection Methods for CVE-2023-2800
Indicators of Compromise
- Unexpected symlinks appearing in temporary directories (/tmp, /var/tmp, or system-specific temp locations)
- Abnormal file operations or permission errors when Transformers library attempts to download models
- Unexplained application crashes or high availability issues during model loading operations
Detection Strategies
- Implement software composition analysis (SCA) tools to identify Transformers library versions below 4.30.0 in your environment
- Monitor for unusual symlink creation patterns in temporary directories used by Python applications
- Audit Python dependencies across machine learning pipelines for deprecated function usage
Monitoring Recommendations
- Enable file integrity monitoring on systems running Transformers-based applications
- Log and alert on repeated failed file creation attempts in temporary directories
- Track library version updates through dependency management tools to ensure timely patching
How to Mitigate CVE-2023-2800
Immediate Actions Required
- Upgrade Huggingface Transformers library to version 4.30.0 or later immediately
- Audit all machine learning pipelines and applications for vulnerable Transformers versions
- Review any custom code that may have copied the insecure temporary file pattern
- Restrict access to shared computing environments where possible
Patch Information
The fix was implemented in commit 80ca92470938bbcc348e2d9cf4734c7c25cb1c43, which replaces the deprecated tempfile.mktemp() call with the secure tempfile.mkstemp() function. The mkstemp() function atomically creates the file and returns a tuple containing the file descriptor and path, eliminating the race condition window.
For detailed patch information, refer to the GitHub Commit Change and the Huntr Bug Bounty Report.
Workarounds
- If immediate upgrading is not possible, apply stricter permissions on temporary directories
- Use isolated container environments for machine learning workloads to limit local attack surface
- Implement mount options such as noexec on temporary directories where feasible
# Upgrade Huggingface Transformers to patched version
pip install --upgrade transformers>=4.30.0
# Verify installed version
pip show transformers | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
