CVE-2024-3924 – Code Injection in huggingface/text-generation-inference

https://notcve.org/view.php?id=CVE-2024-3924

30 May 2024 — A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the `autodocs.yml` workflow file. The vulnerability arises from the insecure handling of the `github.head_ref` user input, which is used to dynamically construct a command for installing a software package. An attacker can exploit this by forking the repository, creating a branch with a malicious payload as the name, and then opening a pull request to the base repository. Successful exploitatio... • https://github.com/zunak/CVE-2024-39249 • CWE-94: Improper Control of Generation of Code ('Code Injection') •