CVE-2024-3924
Description
A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the autodocs.yml workflow file. The vulnerability arises from the insecure handling of the github.head_ref user input, which is used to dynamically construct a command for installing a software package. An attacker can exploit this by forking the repository, creating a branch with a malicious payload as the name, and then opening a pull request to the base repository. Successful exploitation could lead to arbitrary code execution within the context of the GitHub Actions runner. This issue affects versions up to and including v2.0.0 and was fixed in version 2.0.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A code injection vulnerability in the autodocs.yml workflow of huggingface/text-generation-inference allows arbitrary code execution via a malicious branch name in a pull request.
Vulnerability
Overview
The vulnerability resides in the autodocs.yml GitHub Actions workflow of the huggingface/text-generation-inference repository. The workflow dynamically constructs a cargo install command using the github.head_ref variable, which is derived from the branch name of a pull request. This input is not sanitized, allowing an attacker to inject arbitrary commands by crafting a branch name containing shell metacharacters [2][3].
Exploitation
Prerequisites
An attacker can exploit this by forking the repository, creating a branch with a malicious payload as its name, and then opening a pull request to the base repository. No additional authentication is required beyond standard GitHub pull request mechanics. The workflow automatically executes on pull request events, triggering the injected command within the GitHub Actions runner [2].
Impact
Successful exploitation leads to arbitrary code execution in the context of the GitHub Actions runner. This could allow an attacker to exfiltrate secrets, modify repository contents, or pivot to other systems accessible from the runner [2].
Mitigation
The issue was fixed in version 2.0.0 via commit 88702d8, which uses environment variables to safely pass the branch name to the command, preventing injection [3]. The repository is now in maintenance mode, accepting only minor fixes [1]. Users should upgrade to v2.0.0 or later to mitigate the vulnerability.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
text-generationPyPI | < 2.0.0 | 2.0.0 |
Affected products
1- Range: v0.2.0, v0.2.1, v0.3.0, …
Patches
188702d876383Fixing CI. (#1748)
1 file changed · +4 −1
.github/workflows/autodocs.yml+4 −1 modified@@ -13,7 +13,10 @@ jobs: - name: Install Launcher id: install-launcher - run: cargo install --git https://github.com/${{ github.repository }} --branch ${{ github.head_ref }} text-generation-launcher + env: + REF: ${{ github.head_ref }} + REPO: ${{ github.repository }} + run: cargo install --git "https://github.com/$REPO" --branch "$REF" text-generation-launcher - name: Check launcher Docs are up-to-date run: |
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.