CVE-2025-14930 Hugging Face Transformers GLM4 Deserialization of Untrusted Data Remote Code Execution Vulnerability

🗓️ 23 Dec 2025 21:04:52Reported by zdiType

Hugging Face Transformers GLM4 deserialization of untrusted data enables remote code execution.

Reporter	Title	Published	Views	Family All 25
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Observability with Instana (OnPrem)	17 Mar 202611:17	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses transformers-4.57.3-py3-none-any.whl which is vulnerable to CVE-2025-14920, CVE-2025-14921, CVE-2025-14924, CVE-2025-14926, CVE-2025-14927, CVE-2025-14928, CVE-2025-14929.	2 Mar 202613:39	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - Monitor Component uses transformers-4.53.0-py3-none-any.whl which is vulnerable to multiple CVEs.	27 Feb 202611:37	–	ibm
IBM Security Bulletins	Security Bulletin: Maximo AI Service uses multiple third party dependencies which is vulnerable to multiple CVEs.	31 Mar 202612:56	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Hugging Face Transformers bundled with IBM Fusion, IBM Fusion HCI and Content-Aware Storage	13 May 202610:51	–	ibm
IBM Security Bulletins	Security Bulletin: Security vulnerability in Python affects IBM Robotic Process Automation and IBM Robotic Process Automation for Cloud Pak	14 May 202613:48	–	ibm
Circl	CVE-2025-14930	18 Dec 202505:00	–	circl
CNNVD	Hugging Face Transformers 代码问题漏洞	23 Dec 202500:00	–	cnnvd
CVE	CVE-2025-14930	23 Dec 202521:04	–	cve
EUVD	EUVD-2025-204827	23 Dec 202521:30	–	euvd

[
  {
    "vendor": "Hugging Face",
    "product": "Transformers",
    "versions": [
      {
        "version": "4.57.1",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  }
]

Source	Link
zerodayinitiative	www.zerodayinitiative.com/advisories/ZDI-25-1145/

23 Dec 2025 21:04Current

CVSS 37.8

EPSS0.00477

CWE-502