509 matches found
CVE-2025-14930
A flaw was found in the Hugging Face Transformers library. The parsing of weights fails to validate user-supplied data, causing a deserialization of untrusted data. An attacker can exploit this issue by providing a malicious GLM4 model, resulting in arbitrary code execution in the context of the...
CVE-2025-14928
A flaw was found in the Hugging Face Transformers library. The convertconfig function fails to validate a user-supplied string before using it to execute Python code. An attacker can exploit this flaw by providing a malicious HuBERT model checkpoint, causing arbitrary code execution in the contex...
CVE-2025-14929
A flaw was found in the Hugging Face Transformers library. The parsing of checkpoints fails to validate user-supplied data, causing a deserialization of untrusted data. An attacker can exploit this issue by providing a malicious X-CLIP model, resulting in arbitrary code execution in the context o...
CVE-2025-14927
A flaw was found in the Hugging Face Transformers library. The convertconfig function fails to validate a user-supplied string before using it to execute Python code. An attacker can exploit this flaw by providing a malicious SEW-D model checkpoint, causing arbitrary code execution in the context...
CVE-2025-14926
A flaw was found in the Hugging Face Transformers library. The convertconfig function fails to validate a user-supplied string before using it to execute Python code. An attacker can exploit this flaw by providing a malicious SEW model checkpoint, causing arbitrary code execution in the context o...
CVE-2025-14924
A flaw was found in the Hugging Face Transformers library. The parsing of checkpoints fails to validate user-supplied data, causing a deserialization of untrusted data. An attacker can exploit this issue by providing a malicious megatrongpt2 model, resulting in arbitrary code execution in the...
CVE-2025-14920
A flaw was found in the Hugging Face Transformers library. The parsing of model files fails to validate user-supplied data, causing a deserialization of untrusted data. An attacker can exploit this issue by providing a malicious Perceiver model or convincing a user to visit a malicious page,...
CVE-2025-14921
A flaw was found in the Hugging Face Transformers library. The parsing of model files fails to validate user-supplied data, causing a deserialization of untrusted data. An attacker can exploit this issue by providing a malicious Transformer-XL model, resulting in arbitrary code execution in the...
Arbitrary Code Injection
Overview transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Arbitrary Code Injection via the convertconfig function. An attacker can execute arbitrary code by supplying a malicious checkpoint file that is process...
01os (=0.0.14), 3-04-2025-ttm (=0.1.0) +11444 more potentially affected by CVE-2025-14927 via transformers (>=2.10.0 <=5.9.0)
transformers PYPI version =2.10.0, =0.1.0, =0.1.3, =0.1.0, =0.1.0, =0.0.1, =0.1.0.dev1, =0.1.0, =0.10.11, =0.5.5, =0.0.4.80, =4.0.2 - aait-store-cut-part-001 =0.0.1 and more Source cves: CVE-2025-14927 Source advisory: SNYK:PYTHON-TRANSFORMERS-14564366...
01os (=0.0.14), 3-04-2025-ttm (=0.1.0) +11444 more potentially affected by CVE-2025-14928 via transformers (>=2.10.0 <=5.9.0)
transformers PYPI version =2.10.0, =0.1.0, =0.1.3, =0.1.0, =0.1.0, =0.0.1, =0.1.0.dev1, =0.1.0, =0.10.11, =0.5.5, =0.0.4.80, =4.0.2 - aait-store-cut-part-001 =0.0.1 and more Source cves: CVE-2025-14928 Source advisory: SNYK:PYTHON-TRANSFORMERS-14564364...
Arbitrary Code Injection
Overview transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Arbitrary Code Injection via the convertconfig function. An attacker can execute arbitrary code by supplying a malicious checkpoint file that is process...
01os (=0.0.14), 3-04-2025-ttm (=0.1.0) +11444 more potentially affected by CVE-2025-14921 via transformers (>=2.10.0 <=5.9.0)
transformers PYPI version =2.10.0, =0.1.0, =0.1.3, =0.1.0, =0.1.0, =0.0.1, =0.1.0.dev1, =0.1.0, =0.10.11, =0.5.5, =0.0.4.80, =4.0.2 - aait-store-cut-part-001 =0.0.1 and more Source cves: CVE-2025-14921 Source advisory: SNYK:PYTHON-TRANSFORMERS-14564365...
Deserialization of Untrusted Data
Overview transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the parsing process of model files. An attacker can execute arbitrary code in the context of the current user by...
Deserialization of Untrusted Data
Overview transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the megatrongpt2 process. An attacker can achieve arbitrary code execution by tricking a user into opening a...
01os (=0.0.14), 3-04-2025-ttm (=0.1.0) +11444 more potentially affected by CVE-2025-14924 via transformers (>=2.10.0 <=5.9.0)
transformers PYPI version =2.10.0, =0.1.0, =0.1.3, =0.1.0, =0.1.0, =0.0.1, =0.1.0.dev1, =0.1.0, =0.10.11, =0.5.5, =0.0.4.80, =4.0.2 - aait-store-cut-part-001 =0.0.1 and more Source cves: CVE-2025-14924 Source advisory: SNYK:PYTHON-TRANSFORMERS-14564363...
Deserialization of Untrusted Data
Overview transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the parsing of model files. An attacker can execute arbitrary code by tricking a user into opening a specially...
01os (=0.0.14), 3-04-2025-ttm (=0.1.0) +3856 more potentially affected by CVE-2025-14920 via transformers (>=2.10.0 <=5.0.0rc0)
transformers PYPI version =2.10.0, =0.10.11, =0.5.5, =0.0.4.80, =0.2.1, =0.1.0, =0.1.1, =1.3.8, =1.5.3 - acace-coherence-checker =0.1.0 - acace-compression-engine =0.1.0 - acace-semantic-analyzer =0.1.0 - acace-sentiment-analyzer =0.1.0 and more Source cves: CVE-2025-14920 Source advisory:...
01os (=0.0.14), 3-04-2025-ttm (=0.1.0) +11444 more potentially affected by CVE-2025-14929 via transformers (>=2.10.0 <=5.9.0)
transformers PYPI version =2.10.0, =0.1.0, =0.1.3, =0.1.0, =0.1.0, =0.0.1, =0.1.0.dev1, =0.1.0, =0.10.11, =0.5.5, =0.0.4.80, =4.0.2 - aait-store-cut-part-001 =0.0.1 and more Source cves: CVE-2025-14929 Source advisory: SNYK:PYTHON-TRANSFORMERS-14564275...
Deserialization of Untrusted Data
Overview transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the parsing of checkpoints. An attacker can achieve arbitrary code execution by tricking a user into opening a...