Security Bulletin: Vulnerabilities in Hugging Face Transformers bundled with IBM Fusion, IBM Fusion HCI and Content-Aware Storage

Summary IBM Fusion, IBM Fusion HCI and Content-Aware Storage includes the Hugging Face Transformers library, which could allow a remote attacker to execute arbitrary code on affected installations. These vulnerabilities exist due to the lack of proper validation of user-supplied data during the...

Arbitrary Code Injection

Overview transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Arbitrary Code Injection via the convertconfig function. An attacker can execute arbitrary code by supplying a malicious checkpoint file that is process...

PYSEC-2025-215

Hugging Face Transformers SEW-D convertconfig Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the...

PYSEC-2025-215

Hugging Face Transformers SEW-D convertconfig Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the...

CVE-2025-14927

The CVE-2025-14927 issue affects Hugging Face Transformers SEW-D, specifically the convert_config function. The flaw results from insufficient validation of a user-supplied string before it is used to execute Python code, enabling arbitrary code execution in the caller’s context when converting a...