Description
FlashAttention through 2.8.3.post1, fixed in commit 0816ef1, contains a symlink attack vulnerability in the download_and_copy() function within hopper/setup.py that extracts NVIDIA toolchain archives without validating symlinks or filtering tar members. A local attacker can pre-plant a symlink in the predictable cache directory to redirect extracted binaries to an attacker-chosen location, enabling arbitrary file write with victim privileges during build time.
Problem types
Improper Link Resolution Before File Access ('Link Following')
Product status
Any version
0816ef12f424c6ec94b057a72c275b14f6e6edb2 (git)
Credits
YU SUN
References
github.com/Dao-AILab/flash-attention/issues/2637
github.com/Dao-AILab/flash-attention/issues/2637 (Researcher Disclosure)
github.com/Dao-AILab/flash-attention/pull/2702 (Pull Request)
github.com/...ommit/0816ef12f424c6ec94b057a72c275b14f6e6edb2 (Patch Commit)
www.vulncheck.com/...a-tarfile-extractall-in-hopper-setup-py