Lucene search
+L

232 matches found

OSV
OSV
added 2025/03/20 10:11 a.m.9 views

CVE-2024-12720 Regular Expression Denial of Service (ReDoS) in huggingface/transformers

A Regular Expression Denial of Service ReDoS vulnerability was identified in the huggingface/transformers library, specifically in the file tokenizationnougatfast.py. The vulnerability occurs in the postprocesssingle function, where a regular expression processes specially crafted input. The issu...

5.3CVSS6.4AI score0.00684EPSS
Exploits0References4
CVE
CVE
added 2025/03/20 10:11 a.m.254 views

CVE-2024-12720

CVE-2024-12720 affects Hugging Face Transformers, in particular the file tokenization_nougat_fast.py within the post_process_single() function. The issue is a RegEx that can exhibit exponential backtracking, leading to high CPU usage and potential DoS under crafted input. Affected version cited: ...

7.5CVSS6.8AI score0.00684EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2025/03/20 10:11 a.m.21 views

CVE-2024-12720 Regular Expression Denial of Service (ReDoS) in huggingface/transformers

A Regular Expression Denial of Service ReDoS vulnerability was identified in the huggingface/transformers library, specifically in the file tokenizationnougatfast.py. The vulnerability occurs in the postprocesssingle function, where a regular expression processes specially crafted input. The issu...

5.3CVSS0.00684EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2025/03/20 12:0 a.m.4 views

PT-2025-12141

Name of the Vulnerable Software and Affected Versions huggingface/transformers version v4.46.3 Description A Regular Expression Denial of Service ReDoS issue was identified in the huggingface/transformers library, specifically in the file tokenization nougat fast.py. The issue occurs in the post...

7.5CVSS6.5AI score0.00684EPSS
Exploits0References11
Positive Technologies
Positive Technologies
added 2025/03/07 12:0 a.m.9 views

PT-2025-28150

Name of the Vulnerable Software and Affected Versions: huggingface/transformers version 4.49.0 Description: A Regular Expression Denial of Service ReDoS vulnerability was discovered in the huggingface/transformers repository. The vulnerability is due to inefficient regular expression complexity i...

7.8CVSS6.4AI score0.0043EPSS
Exploits1References14
OSV
OSV
added 2025/01/27 8:50 p.m.17 views

GHSA-RH4J-5RHW-HR54 vllm: Malicious model to RCE by torch.load in hf_model_weights_iterator

Description The vllm/modelexecutor/weightutils.py implements hfmodelweightsiterator to load the model checkpoint, which is downloaded from huggingface. It use torch.load function and weightsonly parameter is default value False. There is a security warning on...

7.5CVSS7.8AI score0.00694EPSS
Exploits0References8
Huntr
Huntr
added 2024/11/26 7:9 a.m.5 views

Remote Code Execution via Unsafe Torch Load in TransfoXLCorpus

Description This is a new bypass to the patch of my previous report, in which the maintainers only apply the "TRUSTREMOTECODE" to guard the vulnerable code of vocabdict = pickle.loadf, but overlooked another vulnerable code of corpusdict = torch.loadresolvedcorpusfile without setting...

7.6AI score
Exploits0
OSSF Malicious Packages
OSSF Malicious Packages
added 2024/11/06 6:46 p.m.3 views

Malicious code in huggingface-hubs (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 1d238b4266e7eb2a0fbda69d410f875e0625c30fcf79647d89c6e3358cbdcb55 A campaign of probably pentest packages flooding PYPI. Installing the package or importing the module triggers reporting basic info like hostname, path and the...

7.1AI score
Exploits0References1
OSV
OSV
added 2024/11/06 6:46 p.m.12 views

MAL-2024-10727 Malicious code in huggingface-hubs (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 1d238b4266e7eb2a0fbda69d410f875e0625c30fcf79647d89c6e3358cbdcb55 A campaign of probably pentest packages flooding PYPI. Installing the package or importing the module triggers reporting basic info like hostname, path and the...

7AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2024/10/12 5:2 p.m.5 views

Malicious code in huggingface-vscode (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 05d5f0f4f0cc4f4b8a99f6a6b4c1ca2e0aa13ab6cd2d0d7fd3e7a23a2d9593cb The OpenSSF Package Analysis project identified 'huggingface-vscode' @ 100.2.2 npm as malicious. It is considered malicious because: - The packa...

6.9AI score
Exploits0
OSV
OSV
added 2024/10/12 5:2 p.m.9 views

MAL-2024-9282 Malicious code in huggingface-vscode (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 05d5f0f4f0cc4f4b8a99f6a6b4c1ca2e0aa13ab6cd2d0d7fd3e7a23a2d9593cb The OpenSSF Package Analysis project identified 'huggingface-vscode' @ 100.2.2 npm as malicious. It is considered malicious because: - The packa...

7.1AI score
Exploits0
OSV
OSV
added 2024/06/04 12:15 p.m.5 views

CVE-2024-4254

The 'deploy-website.yml' workflow in the gradio-app/gradio repository, specifically in the 'main' branch, is vulnerable to secrets exfiltration due to improper authorization. The vulnerability arises from the workflow's explicit checkout and execution of code from a fork, which is unsafe as it...

7.1CVSS5.9AI score0.0047EPSS
Exploits1References1
OSV
OSV
added 2024/06/02 10:30 p.m.59 views

GHSA-QQ99-P57R-G3V7 code injection vulnerability exists in the huggingface/text-generation-inference repository

A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the autodocs.yml workflow file. The vulnerability arises from the insecure handling of the github.headref user input, which is used to dynamically construct a command for installing ...

4.4CVSS5.3AI score0.00316EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2024/06/02 10:30 p.m.36 views

code injection vulnerability exists in the huggingface/text-generation-inference repository

A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the autodocs.yml workflow file. The vulnerability arises from the insecure handling of the github.headref user input, which is used to dynamically construct a command for installing ...

4.4CVSS7.4AI score0.00316EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2024/05/30 3:15 p.m.25 views

CVE-2024-3924

A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the autodocs.yml workflow file. The vulnerability arises from the insecure handling of the github.headref user input, which is used to dynamically construct a command for installing ...

4.4CVSS5.4AI score0.00316EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2024/05/30 2:59 p.m.30 views

CVE-2024-3924 Code Injection in huggingface/text-generation-inference

A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the autodocs.yml workflow file. The vulnerability arises from the insecure handling of the github.headref user input, which is used to dynamically construct a command for installing ...

4.4CVSS7.8AI score0.00316EPSS
Exploits0References2
OSV
OSV
added 2024/05/30 2:59 p.m.19 views

CVE-2024-3924 Code Injection in huggingface/text-generation-inference

A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the autodocs.yml workflow file. The vulnerability arises from the insecure handling of the github.headref user input, which is used to dynamically construct a command for installing ...

4.4CVSS6.5AI score0.00316EPSS
Exploits0References4
Spring Security Advisories
Spring Security Advisories
added 2024/05/14 12:0 a.m.40 views

This Week in Spring - May 14th, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring! This week's highlights in the Spring ecosystem emphasize the ongoing advancements and applications of Spring AI. The discussions range from exploring the impressive VectorStore abstraction and enhanced structured output suppo...

7.1AI score
Exploits0
OSV
OSV
added 2024/04/16 12:30 a.m.31 views

GHSA-G9CJ-CFPP-4G2X gradio vulnerable to Path Traversal

An issue was discovered in gradio-app/gradio, where the /componentserver endpoint improperly allows the invocation of any method on a Component class with attacker-controlled arguments. Specifically, by exploiting the moveresourcetoblockcache method of the Block class, an attacker can copy any fi...

7.5CVSS7.2AI score0.09239EPSS
Exploits4References5
NVD
NVD
added 2024/04/16 12:15 a.m.25 views

CVE-2024-1561

An issue was discovered in gradio-app/gradio, where the /componentserver endpoint improperly allows the invocation of any method on a Component class with attacker-controlled arguments. Specifically, by exploiting the moveresourcetoblockcache method of the Block class, an attacker can copy any fi...

7.5CVSS7.3AI score0.09239EPSS
Exploits4References3
Rows per page
Query Builder