Skip to content

Add SECURITY.md and report RCE issue #17

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
michaelpierre wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add SECURITY.md and report RCE issue #17

michaelpierre wants to merge 1 commit into from
+15 −0

Conversation

@michaelpierre
Copy link

@michaelpierre michaelpierre commented Apr 9, 2025

This adds a SECURITY.md file for responsible disclosure.

In the process of reviewing the project, I identified a critical vulnerability (Remote Code Execution) in several demo scripts.

I have not made any details public, but I’m happy to provide a private proof-of-concept to the maintainers via email or secure message.

Let me know how you’d like to proceed.

@michaelpierre
Add SECURITY.md and report RCE issue
a44ef6a 
This commit adds a SECURITY.md file and also documents a discovered vulnerability in the way the repo loads external Hugging Face models.

The demo scripts use `trust_remote_code=True` without validation, which allows for remote code execution (RCE) when a user supplies a malicious model path.

The vulnerability is not disclosed publicly, and the model repository used for testing has been made private to prevent abuse.

Please refer to the pull request body for full details.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@michaelpierre