TensorFlow.js and Transformers.js Security Issues in JavaScript and TypeScript Applications

Introduction

TensorFlow.js and Transformers.js allow developers to run machine learning models directly in JavaScript and TypeScript environments. They are widely adopted for preprocessing, inference, and integrating AI into web and Node.js applications. Their ease of use conceals significant application security issues.

Untrusted Model Execution in TensorFlow.js

TensorFlow.js enables execution of models in the browser or Node.js. Many projects download pre-trained models directly from unverified sources. This creates a clear supply chain vulnerability. In 2021, security researchers demonstrated that a poisoned model could contain malicious layers that triggered JavaScript execution in the client runtime. A developer who imported such a model from an untrusted repository unknowingly gave attackers arbitrary code execution inside end-user browsers.

Model Poisoning in Transformers.js

Transformers.js provides access to Hugging Face models in TypeScript. Attackers can poison embeddings or alter tokenizers to leak sensitive input data. For example, a poisoned sentiment analysis model can be modified to include hidden output channels. When queried with sensitive text, it returns encoded tokens representing the data. In production pipelines, this creates covert data exfiltration from otherwise trusted inference calls.

Dependency Bloat and Native Bindings

Both libraries depend on large dependency graphs with native bindings. TensorFlow.js relies on WebGL and WASM backends. Attackers can target outdated WASM runtimes with buffer overflow exploits. In 2022, multiple WASM sandbox escapes were published, showing how attacker-supplied data could break isolation and execute arbitrary code on the host system.

MITRE ATT&CK Mapping

Conclusion

TensorFlow.js and Transformers.js expand AI capabilities in JavaScript, but they also expand the attack surface. Poisoned models, covert exfiltration channels, and WASM runtime exploits create direct risks for application security teams. Defenses must include verifying model provenance, scanning model files for anomalies, and continuously monitoring runtime behavior during inference.

References

• Carlini, N., et al. (2021). Extracting Training Data from Large Language Models. arXiv. https://arxiv.org/abs/2012.07805
  
• MITRE ATT&CK®. (2024). ATT&CK Techniques. MITRE. https://attack.mitre.org/
  
• Hugging Face. (2024). Security best practices for model use. Hugging Face Docs. https://huggingface.co/docs
  
• Google. (2023). TensorFlow.js security considerations. TensorFlow Documentation. https://www.tensorflow.org/js