Flash Attention
Monthly
Arbitrary file write via symlink attack in FlashAttention's build toolchain (through 2.8.3.post1) allows a local low-privileged attacker to redirect NVIDIA archive extraction to attacker-controlled paths by pre-planting a symlink in the predictable cache directory before a victim initiates a build. The hopper/setup.py download_and_copy() function called tarfile.extractall() without symlink validation or path confinement, meaning extracted NVIDIA toolchain binaries could be written anywhere accessible to the victim's process. No active exploitation is confirmed in CISA KEV, but a publicly available proof-of-concept exists at GitHub issue #2637 and a vendor patch is available in commit 0816ef1.
Arbitrary file write via symlink attack in FlashAttention's build toolchain (through 2.8.3.post1) allows a local low-privileged attacker to redirect NVIDIA archive extraction to attacker-controlled paths by pre-planting a symlink in the predictable cache directory before a victim initiates a build. The hopper/setup.py download_and_copy() function called tarfile.extractall() without symlink validation or path confinement, meaning extracted NVIDIA toolchain binaries could be written anywhere accessible to the victim's process. No active exploitation is confirmed in CISA KEV, but a publicly available proof-of-concept exists at GitHub issue #2637 and a vendor patch is available in commit 0816ef1.