Skip to content

Harden extract_model_ops: default trust_remote_code=False (CVE-2026-5241)#3076

Merged
edsavage merged 2 commits into
elastic:mainfrom
edsavage:fix/extract-model-ops-trust-remote-code
Jul 15, 2026
Merged

Harden extract_model_ops: default trust_remote_code=False (CVE-2026-5241)#3076
edsavage merged 2 commits into
elastic:mainfrom
edsavage:fix/extract-model-ops-trust-remote-code

Conversation

@edsavage

Copy link
Copy Markdown
Contributor

Summary

Addresses Dependabot alert #12CVE-2026-5241 / GHSA-fgcw-684q-jj6r (High): RCE via the transformers LightGlue loading path, where a model repo's nested config.json can override the caller's trust_remote_code and execute arbitrary code. Patched upstream in transformers 5.5.0.

We cannot simply bump transformers to >=5.5.0: transformers 5.0 removed TorchScript support (the torchscript=True config + torch.jit tracing) that extract_model_ops/validate_allowlist depend on to build the TorchScript op allowlist for bin/pytorch_inference. A version bump would break the tool and its CMake/CI validation target.

Instead we harden the actual attack vector, which is a better fit here:

  • The vulnerable code path is not reachable: this is a dev/CI-only tool that only loads a curated set of NLP encoder models (BERT, RoBERTa, ELSER, e5, BART-MNLI, …) — never LightGlue — and it is not part of any shipped ml-cpp artifact.
  • The loader nonetheless passed trust_remote_code=True unconditionally, which is exactly the mechanism CVE-2026-5241 abuses and is unnecessary for these native architectures.

Changes

  • torchscript_utils.py: add a per-model trust_remote_code option (default False) and thread it through load_and_trace_hf_model; all three from_pretrained calls now honour it. Loads are safe-by-default.
  • extract_model_ops.py / validate_allowlist.py: pass the per-model flag through.
  • reference_models.json / validation_models.json: opt trust_remote_code: true only for jina-embeddings-v5-text-nano, which genuinely ships custom modeling code (verified: it requires trust_remote_code=True). Every other model loads natively with it off.
  • requirements.txt: document why we stay on transformers 4.x and why the CVE is not reachable here.
  • README.md: document the new field + the safe-by-default rationale.
  • dev-tools/unittest/test_extract_model_ops_config.py: new tests for the default/opt-in behaviour, incl. a guard that the bundled configs only ever trust vetted models. Skipped where torch/transformers are absent (lean CI unittest env); run in the tool's venv.

Test plan

  • python3 -m pytest dev-tools/unittest/ -q → 68 passed, 2 skipped (git-integration); new config tests pass locally with torch 2.7.1 / transformers 4.48.0
  • load_model_config on both real configs: trust_remote_code is False everywhere except jina-embeddings-v5-text-nano
  • py_compile of all three modified scripts
  • Full validate_pytorch_inference_models run in the venv (loads models over the network) to confirm native models still trace with the flag off

Recommendation on the alert

Suggest dismissing Dependabot #12 as not exploitable / risk tolerated once this merges: the fix version drops TorchScript support the tool needs, the CVE path is unreachable (curated NLP models, dev-only tool), and this PR removes the underlying trust_remote_code exposure. Upgrading to transformers 5.x (re-engineering op extraction off TorchScript, min Python 3.10) can be tracked separately if we later want to stay current.

Made with Cursor

Harden the TorchScript op-allowlist dev tool against the class of issue behind
CVE-2026-5241 (RCE via a model repo's config overriding the caller's
trust_remote_code). The loader previously passed trust_remote_code=True
unconditionally for every model.

- torchscript_utils: add a per-model trust_remote_code option (default False)
  and thread it through load_and_trace_hf_model; loads are now safe-by-default.
- extract_model_ops.py / validate_allowlist.py: pass the per-model flag through.
- reference/validation_models.json: opt in trust_remote_code only for the
  vetted jina-embeddings-v5 model, which genuinely ships custom modeling code.
- requirements.txt: document why we stay on transformers 4.x (5.0 removed the
  TorchScript support this tool relies on) and that the CVE is not reachable
  here (curated NLP models, never LightGlue; dev/CI-only tool).
- README + unit tests for the new default/opt-in behaviour.

Co-authored-by: Cursor <cursoragent@cursor.com>
@edsavage edsavage added >non-issue ci:skip-es-tests no-backport Skip automatic backport when this PR merges (version-bump automation) labels Jul 13, 2026
@edsavage edsavage added the :ml label Jul 13, 2026
@elasticsearchmachine

Copy link
Copy Markdown

Pinging @elastic/ml-core (Team:ML)

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the dev-tools/extract_model_ops HuggingFace loading/tracing path by making trust_remote_code safe-by-default (False) and requiring explicit per-model opt-in, mitigating the trust_remote_code exposure described in CVE-2026-5241 while keeping the tool compatible with transformers 4.x (TorchScript dependency).

Changes:

  • Add a trust_remote_code per-model config option (default False) and thread it through all relevant from_pretrained() calls.
  • Update bundled model configs to opt in only for jina-embeddings-v5-text-nano.
  • Add unit tests ensuring the default/opt-in behavior and guarding that bundled configs only trust vetted models.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
dev-tools/extract_model_ops/torchscript_utils.py Adds trust_remote_code to config normalization and threads it through HF loading/tracing.
dev-tools/extract_model_ops/extract_model_ops.py Passes trust_remote_code from config into tracing/extraction.
dev-tools/extract_model_ops/validate_allowlist.py Passes trust_remote_code from config into model validation runs.
dev-tools/extract_model_ops/reference_models.json Opts in trust_remote_code: true only for the Jina v5 model; adds explanatory comment.
dev-tools/extract_model_ops/validation_models.json Same opt-in and comment for validation config.
dev-tools/extract_model_ops/requirements.txt Documents the transformers 4.x pin rationale and the mitigation approach.
dev-tools/extract_model_ops/README.md Documents the new config field and safe-by-default rationale.
dev-tools/unittest/test_extract_model_ops_config.py Adds tests for default/opt-in behavior and a guardrail for bundled configs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread dev-tools/extract_model_ops/torchscript_utils.py Outdated
Since this flag gates remote code execution, a non-bool value (e.g. the
string "false", which is truthy) must not be silently coerced into enabling
it. Reject non-bool trust_remote_code with a ValueError, matching the
existing malformed-entry checks, with a regression test.

Co-authored-by: Cursor <cursoragent@cursor.com>
@edsavage edsavage merged commit 7525400 into elastic:main Jul 15, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci:skip-es-tests :ml no-backport Skip automatic backport when this PR merges (version-bump automation) >non-issue v9.6.0

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants