Custom ‘attention’ kernels bypass RCE defenses
AI models hosted on Hugging Face can contain custom Python code, which can present a serious security risk if downloaded and executed alongside the model automatically. In the past this capability has been abused by attackers, which is why a parameter called trust_remote_code: was added to configurations. When set to false, it is meant to give developers an assurance that additional code will not be automatically executed.
However, in March last year, Hugging Face added a feature called Hub Kernels that allows users to host custom compiled attention kernels. These kernels improve the performance of models when loaded on GPUs and require an additional package called kernels.
The presence of this package on the machine is required to exploit this vulnerability, which is a limiting factor at first glance. However, even though it’s an optional dependency, having the kernels package installed is not uncommon, especially because most users who run local AI models want to benefit from GPU acceleration and will install Transformers with all “extras” packages.