Harden extract_model_ops: default trust_remote_code=False (CVE-2026-5241)#3076
Merged
edsavage merged 2 commits intoJul 15, 2026
Merged
Conversation
Harden the TorchScript op-allowlist dev tool against the class of issue behind CVE-2026-5241 (RCE via a model repo's config overriding the caller's trust_remote_code). The loader previously passed trust_remote_code=True unconditionally for every model. - torchscript_utils: add a per-model trust_remote_code option (default False) and thread it through load_and_trace_hf_model; loads are now safe-by-default. - extract_model_ops.py / validate_allowlist.py: pass the per-model flag through. - reference/validation_models.json: opt in trust_remote_code only for the vetted jina-embeddings-v5 model, which genuinely ships custom modeling code. - requirements.txt: document why we stay on transformers 4.x (5.0 removed the TorchScript support this tool relies on) and that the CVE is not reachable here (curated NLP models, never LightGlue; dev/CI-only tool). - README + unit tests for the new default/opt-in behaviour. Co-authored-by: Cursor <cursoragent@cursor.com>
|
Pinging @elastic/ml-core (Team:ML) |
There was a problem hiding this comment.
Pull request overview
This PR hardens the dev-tools/extract_model_ops HuggingFace loading/tracing path by making trust_remote_code safe-by-default (False) and requiring explicit per-model opt-in, mitigating the trust_remote_code exposure described in CVE-2026-5241 while keeping the tool compatible with transformers 4.x (TorchScript dependency).
Changes:
- Add a
trust_remote_codeper-model config option (defaultFalse) and thread it through all relevantfrom_pretrained()calls. - Update bundled model configs to opt in only for
jina-embeddings-v5-text-nano. - Add unit tests ensuring the default/opt-in behavior and guarding that bundled configs only trust vetted models.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| dev-tools/extract_model_ops/torchscript_utils.py | Adds trust_remote_code to config normalization and threads it through HF loading/tracing. |
| dev-tools/extract_model_ops/extract_model_ops.py | Passes trust_remote_code from config into tracing/extraction. |
| dev-tools/extract_model_ops/validate_allowlist.py | Passes trust_remote_code from config into model validation runs. |
| dev-tools/extract_model_ops/reference_models.json | Opts in trust_remote_code: true only for the Jina v5 model; adds explanatory comment. |
| dev-tools/extract_model_ops/validation_models.json | Same opt-in and comment for validation config. |
| dev-tools/extract_model_ops/requirements.txt | Documents the transformers 4.x pin rationale and the mitigation approach. |
| dev-tools/extract_model_ops/README.md | Documents the new config field and safe-by-default rationale. |
| dev-tools/unittest/test_extract_model_ops_config.py | Adds tests for default/opt-in behavior and a guardrail for bundled configs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Since this flag gates remote code execution, a non-bool value (e.g. the string "false", which is truthy) must not be silently coerced into enabling it. Reject non-bool trust_remote_code with a ValueError, matching the existing malformed-entry checks, with a regression test. Co-authored-by: Cursor <cursoragent@cursor.com>
4 tasks
valeriy42
approved these changes
Jul 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses Dependabot alert #12 — CVE-2026-5241 / GHSA-fgcw-684q-jj6r (High): RCE via the transformers LightGlue loading path, where a model repo's nested
config.jsoncan override the caller'strust_remote_codeand execute arbitrary code. Patched upstream intransformers5.5.0.We cannot simply bump
transformersto>=5.5.0: transformers 5.0 removed TorchScript support (thetorchscript=Trueconfig +torch.jittracing) thatextract_model_ops/validate_allowlistdepend on to build the TorchScript op allowlist forbin/pytorch_inference. A version bump would break the tool and its CMake/CI validation target.Instead we harden the actual attack vector, which is a better fit here:
trust_remote_code=Trueunconditionally, which is exactly the mechanism CVE-2026-5241 abuses and is unnecessary for these native architectures.Changes
torchscript_utils.py: add a per-modeltrust_remote_codeoption (defaultFalse) and thread it throughload_and_trace_hf_model; all threefrom_pretrainedcalls now honour it. Loads are safe-by-default.extract_model_ops.py/validate_allowlist.py: pass the per-model flag through.reference_models.json/validation_models.json: opttrust_remote_code: trueonly forjina-embeddings-v5-text-nano, which genuinely ships custom modeling code (verified: it requirestrust_remote_code=True). Every other model loads natively with it off.requirements.txt: document why we stay ontransformers4.x and why the CVE is not reachable here.README.md: document the new field + the safe-by-default rationale.dev-tools/unittest/test_extract_model_ops_config.py: new tests for the default/opt-in behaviour, incl. a guard that the bundled configs only ever trust vetted models. Skipped wheretorch/transformersare absent (lean CI unittest env); run in the tool's venv.Test plan
python3 -m pytest dev-tools/unittest/ -q→ 68 passed, 2 skipped (git-integration); new config tests pass locally with torch 2.7.1 / transformers 4.48.0load_model_configon both real configs:trust_remote_codeisFalseeverywhere exceptjina-embeddings-v5-text-nanopy_compileof all three modified scriptsvalidate_pytorch_inference_modelsrun in the venv (loads models over the network) to confirm native models still trace with the flag offRecommendation on the alert
Suggest dismissing Dependabot #12 as not exploitable / risk tolerated once this merges: the fix version drops TorchScript support the tool needs, the CVE path is unreachable (curated NLP models, dev-only tool), and this PR removes the underlying
trust_remote_codeexposure. Upgrading to transformers 5.x (re-engineering op extraction off TorchScript, min Python 3.10) can be tracked separately if we later want to stay current.Made with Cursor