Text To Image
Hi guys its retr0reg, I made this tool just for you (: This tool is safe and sound!
- See there's no HF Warning and stuffs
- and you can use it with out
Trust Remote CodeOn! - https://0reg.dev is a fun website
Hope You enjoy it!
Why I loaded this but nothing happend?!
This is actually a PoC project for a patched huggingface/transformers vulnerability.
In transformer's transformers.load_tool *(can be access via from transformers import tools; tools.load_tool or transformers.load_tool) withCall-Chain: load_tool() -> Tool.from_hub() -> get_class_from_dynamic_module() -> get_class_in_module() -> importlib.import_module(module_path); the program will execute arbitrary Python Commands in a maliciously-built repo (without any HuggingFace Warnings in Hub and no trust_remote_code is required). Causing arbitrary OS Command execution or creating a Reverse-Shell connection or even starting a worm attack via HuggingFace Hub.