Researchers Uncover Flaws in Popular Open-Source Machine Learning Frameworks

Dec 06, 2024Ravie LakshmananArtificial Intelligence / Vulnerability

Cybersecurity researchers have disclosed multiple security flaws impacting open-source machine learning (ML) tools and frameworks such as MLflow, H2O, PyTorch, and MLeap that could pave the way for code execution.

The vulnerabilities, discovered by JFrog, are part of a broader collection of 22 security shortcomings the supply chain security company first disclosed last month.

Unlike the first set that involved flaws on the server-side, the newly detailed ones allow exploitation of ML clients and reside in libraries that handle safe model formats like Safetensors.

“Hijacking an ML client in an organization can allow the attackers to perform extensive lateral movement within the organization,” the company said. “An ML client is very likely to have access to important ML services such as ML Model Registries or MLOps Pipelines.”

This, in turn, could expose sensitive information such as model registry credentials, effectively permitting a malicious actor to backdoor stored ML models or achieve code execution.

The list of vulnerabilities is below –

• CVE-2024-27132 (CVSS score: 7.2) – An insufficient sanitization issue in MLflow that leads to a cross-site scripting (XSS) attack when running an untrusted recipe in a Jupyter Notebook, ultimately resulting in client-side remote code execution (RCE)
• CVE-2024-6960 (CVSS score: 7.5) – An unsafe deserialization issue in H20 when importing an untrusted ML model, potentially resulting in RCE
• A path traversal issue in PyTorch’s TorchScript feature that could result in denial-of-service (DoS) or code execution due to arbitrary file overwrite, which could then be used to overwrite critical system files or a legitimate pickle file (No CVE identifier)
• CVE-2023-5245 (CVSS score: 7.5) – A path traversal issue in MLeap when loading a saved model in zipped format can lead to a Zip Slip vulnerability, resulting in arbitrary file overwrite and potential code execution

JFrog noted that ML models shouldn’t be blindly loaded even in cases where they are loaded from a safe type, such as Safetensors, as they have the capability to achieve arbitrary code execution.

“AI and Machine Learning (ML) tools hold immense potential for innovation, but can also open the door for attackers to cause widespread damage to any organization,” Shachar Menashe, JFrog’s VP of Security Research, said in a statement.

“To safeguard against these threats, it’s important to know which models you’re using and never load untrusted ML models even from a ‘safe’ ML repository. Doing so can lead to remote code execution in some scenarios, causing extensive harm to your organization.”