Lucene search
K

16 matches found

CVE
CVE
added 2024/11/22 9:23 p.m.303 views

CVE-2024-11394

Summary of affected IBM products and CVEs (CVE-2024-11392 / 11393 / 11394) Multiple IBM security bulletins report that Hugging Face Transformers deserialization vulnerabilities may allow remote code execution (RCE) when user-supplied model files are deserialized without proper validation. The CVE...

8.8CVSS9AI score0.02415EPSS
CVE
CVE
added 2024/11/22 9:23 p.m.290 views

CVE-2024-11393

CVE-2024-11393 (MaskFormer) is a deserialization-based remote code execution in Hugging Face Transformers. The issue arises from untrusted data in model file parsing, enabling code execution on the caller’s context after user interaction. Public advisories in connected IBM/IBM Cloud Pak for Data ...

8.8CVSS9AI score0.02894EPSS
CVE
CVE
added 2024/11/22 9:23 p.m.288 views

CVE-2024-11392

CVE-2024-11392 is a deserialization-based remote code execution vulnerability in Hugging Face Transformers that IBM-related bulletins connect to. In the connected IBM advisories, exploitation pertains to multiple IBM products using Transformers components, notably: IBM Watson Speech Services Cart...

8.8CVSS7.9AI score0.06898EPSS
CVE
CVE
added 2025/03/20 10:11 a.m.252 views

CVE-2024-12720

CVE-2024-12720 affects Hugging Face Transformers, in particular the file tokenization_nougat_fast.py within the post_process_single() function. The issue is a RegEx that can exhibit exponential backtracking, leading to high CPU usage and potential DoS under crafted input. Affected version cited: ...

7.5CVSS6.8AI score0.00684EPSS
CVE
CVE
added 2025/04/29 11:30 a.m.216 views

CVE-2025-1194

CVE-2025-1194 – ReDoS in HuggingFace Transformers (GPT-NeoX-Japanese SubWordJapaneseTokenizer) The CVE describes a Regular Expression Denial of Service in the HuggingFace transformers package, specifically in tokenization_gpt_neox_japanese.py (GPT-NeoX-Japanese model). The vulnerability arises fr...

6.5CVSS4.5AI score0.00384EPSS
CVE
CVE
added 2024/04/10 5:7 p.m.115 views

CVE-2024-3568

The CVE-2024-3568 issue affects the Hugging Face Transformers library, where an unsafe deserialization in TFPreTrainedModel.load_repo_checkpoint() uses pickle.load() on data from untrusted sources, enabling remote code execution via a malicious checkpoint. Documented impact targets Transformers v...

9.6CVSS8.4AI score0.02067EPSS
CVE
CVE
added 2025/07/07 9:55 a.m.110 views

CVE-2025-3777

CVE-2025-3777 : In Hugging Face Transformers, versions up to 4.49.0 are affected by improper input validation in image_utils.py due to insecure URL validation with startswith(), bypassable via URL username injection. Attackers could craft URLs that appear to be from YouTube but resolve to malicio...

3.5CVSS4AI score0.00329EPSS
CVE
CVE
added 2025/08/06 11:53 a.m.102 views

CVE-2025-5197

The CVE-2025-5197 ReDoS vulnerability affects Hugging Face Transformers in the convert_tf_weight_name_to_pt_weight_name() function, where the regex /[^/]___([^/] )/ can cause excessive CPU usage via catastrophic backtracking. Affected versions: up to 4.51.3, with a fix in 4.53.0. Practical impact...

5.3CVSS5AI score0.00391EPSS
CVE
CVE
added 2023/05/18 12:0 a.m.69 views

CVE-2023-2800

CVE-2023-2800 affects Hugging Face Transformers (prior to 4.30.0). Insecure temporary file creation via tempfile.mktemp() could enable local denial of service. The IBM/IBM Cloud Pak bulletin and GH advisories confirm the workaround: upgrade Transformers to 4.30.0 or newer.

4.7CVSS4.6AI score0.00282EPSS
CVE
CVE
added 2026/05/24 1:40 p.m.67 views

CVE-2026-4372

CVE-2026-4372 affects HuggingFace transformers prior to 5.3.0. A malicious config.json can set _attn_implementation_internal to an attacker-controlled HuggingFace Hub repo ID. When a victim loads a model with AutoModelForCausalLM.from_pretrained(), the library downloads and executes arbitrary Pyt...

7.8CVSS7.8AI score0.00479EPSS
CVE
CVE
added 2023/12/20 4:13 p.m.66 views

CVE-2023-7018

Technical details about CVE-2023-7018 are not publicly disclosed in the provided documents. No affected products/versions or exploit information are included. Monitor for updates from the listed sources and corroborating advisories.

9.6CVSS7.8AI score0.00727EPSS
CVE
CVE
added 2023/12/19 12:11 p.m.62 views

CVE-2023-6730

The CVE-2023-6730 issue affects the Hugging Face transformers library and is caused by deserialization of untrusted data in the package prior to version 4.36. Specifically, untrusted input could be deserialized during normal operation of transformers, leading to potential impact as described in t...

9CVSS8.7AI score0.00921EPSS
CVE
CVE
added 2026/04/07 5:22 a.m.58 views

CVE-2026-1839

CVE-2026-1839 concerns the HuggingFace Transformers library, affecting the Trainer class. The root cause is an unsafe load in src/transformers/trainer.py: _load_rng_state() calls torch.load() without weights_only=True, which can allow arbitrary code execution when loading a malicious checkpoint (...

7.8CVSS7AI score0.00349EPSS
CVE
CVE
added 2025/07/11 9:22 a.m.43 views

CVE-2025-3933

CVE-2025-3933 (Hugging Face Transformers) A ReDoS vulnerability exists in the DonutProcessor.token2json() implementation where the regex pattern (and a similar pattern in later mention) can cause catastrophic backtracking and high CPU usage. Affected: Transformers versions 4.50.3 and earlier. Im...

5.3CVSS5.2AI score0.00431EPSS
CVE
CVE
added 2025/07/07 9:54 a.m.32 views

CVE-2025-3262

CVE-2025-3262 — Hugging Face Transformers ReDoS : In version 4.49.0 of the transformers repository, the regex in SETTING_RE within transformers/commands/chat.py enables exponential backtracking under crafted inputs, causing denial-of-service (DoS) risk. The issue is fixed in version 4.51.0. Remed...

7.5CVSS5AI score0.0043EPSS
CVE
CVE
added 2025/09/23 1:56 p.m.23 views

CVE-2025-6921

CVE-2025-6921 affects the huggingface/transformers library prior to 4.53.0, causing a Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer via unsafe handling in _do_use_weight_decay of include_in_weight_decay/exclude_from_weight_decay. IBM Maximo Application Suite Monito...

7.5CVSS5.4AI score0.00467EPSS