transformers is vulnerable to Insecure Temporary Files. The vulnerability exists inside download_url
due to the use of deprecated function tempfile.mktemp()
which creates temporary file names that are fundamentally insecure, as they do not ensure exclusive access to a file with the temporary name they return. There is no guarantee that the creation and open operations will happen atomically which provides an opportunity for an attacker to interfere with the availability of the file before it is opened.