Platform
python
Component
transformers
Fixed in
5.0.0rc3
5.0.0rc3
CVE-2026-1839 is a Remote Code Execution (RCE) vulnerability discovered in the HuggingFace Transformers library. This vulnerability arises from an insecure use of torch.load() within the loadrng_state() method, allowing an attacker to potentially execute arbitrary code on a system. The vulnerability affects versions of Transformers up to and including 5.0.0rc2 when used with PyTorch versions below 2.6. A patch is available in version 5.0.0rc3.
CVE-2026-1839 in the Hugging Face Transformers library represents a critical vulnerability allowing for arbitrary code execution. The root cause lies within the loadrngstate() method (line 3059 of src/transformers/trainer.py), which utilizes torch.load() without the weightsonly=True parameter. This omission, combined with the use of PyTorch versions below 2.6 and torch>=2.2, enables an attacker to inject malicious code through compromised random number generator (RNG) state files. The inadequate protection offered by the safe_globals() context manager in older PyTorch versions exacerbates the risk. The potential impact includes system takeover, data theft, and unauthorized command execution, particularly in model deployment environments.
An attacker could exploit this vulnerability by crafting a malicious RNG state file containing executable Python code. Loading this file through the loadrng_state() function in the Transformers Trainer class would result in the malicious code executing within the context of the model training process. This could occur if a malicious user can upload an RNG state file to a server utilizing Transformers, or if an attacker compromises a development environment where models are being trained. The vulnerability is particularly concerning in machine learning environments where models are trained with data from external sources.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The recommended solution is to upgrade the Hugging Face Transformers library to version 5.0.0rc3 or higher. This version includes a fix that implements the weightsonly=True parameter in the torch.load() function, effectively mitigating the vulnerability. Furthermore, upgrading to the latest stable PyTorch version (2.6 or higher) is advised to benefit from enhanced security features within the safeglobals() context manager. If immediate upgrading is not feasible, thorough scanning of RNG state files before loading them, verifying their integrity and origin, should be implemented. Restricting access to RNG state files to prevent unauthorized manipulation is also crucial.
Actualice la biblioteca Hugging Face Transformers a la versión 5.0.0rc3 o superior para mitigar la vulnerabilidad de ejecución arbitraria de código. Esta actualización corrige el problema al asegurar que `torch.load()` se utilice de forma segura al cargar puntos de control, evitando la ejecución de código malicioso. Consulte las notas de la versión para obtener instrucciones de actualización específicas.
Vulnerability analysis and critical alerts directly to your inbox.
An RNG (Random Number Generator) state file stores the internal state of a random number generator. It's used to reproduce results in machine learning experiments.
This parameter instructs torch.load() to load only the model weights, and not the associated Python code, preventing arbitrary code execution.
Implement thorough scanning of RNG state files before loading them and restrict access to these files.
The vulnerability affects any model that uses the Trainer class and runs on PyTorch versions below 2.6 and torch>=2.2.
Refer to the Hugging Face security advisory and the PyTorch documentation for further details.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.