プラットフォーム
python
コンポーネント
transformers
修正版
4.57.1
CVE-2025-14927 is a Remote Code Execution (RCE) vulnerability affecting Hugging Face Transformers versions 4.57.0 through 4.57.0. This flaw allows attackers to execute arbitrary code on systems running the vulnerable software by exploiting a weakness in the checkpoint conversion process. A fix is available in version 4.57.1, and users are strongly advised to upgrade immediately.
The impact of this vulnerability is significant, as it allows an attacker to gain complete control over the affected system. By crafting a malicious checkpoint and tricking a user into converting it, an attacker can execute arbitrary code in the context of the Transformers process. This could lead to data theft, system compromise, and potentially lateral movement within the network. The vulnerability's reliance on user interaction to convert the malicious checkpoint limits the immediate exploitability, but the potential for widespread impact remains high, especially in environments where checkpoint conversion is a common operation.
This vulnerability was publicly disclosed on 2025-12-23. No public proof-of-concept (PoC) code has been released as of this writing, but the RCE nature of the vulnerability suggests a high likelihood of PoC development. The CVSS score of 7.8 (HIGH) indicates a significant risk. It is not currently listed on the CISA KEV catalog, but this could change if exploitation is observed.
Organizations heavily reliant on Hugging Face Transformers for natural language processing tasks, particularly those involved in model training and deployment, are at significant risk. Environments where checkpoint conversion is automated or performed by less experienced users are especially vulnerable. Shared hosting environments where multiple users have access to the Transformers installation are also at increased risk.
• python / transformers:
import subprocess
# Check for the vulnerable version
result = subprocess.run(['pip', 'show', 'transformers'], capture_output=True, text=True)
if 'Version: 4.57.0' in result.stdout:
print('Vulnerable version detected!')• python / transformers: Monitor for unusual process execution after checkpoint conversion using system monitoring tools. • generic web: Monitor access logs for requests related to checkpoint conversion endpoints. Look for unusual user agents or request parameters.
disclosure
エクスプロイト状況
EPSS
0.10% (27% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-14927 is to upgrade Hugging Face Transformers to version 4.57.1 or later. Until the upgrade can be performed, consider restricting access to checkpoint conversion functionality to trusted users only. Implement input validation and sanitization on any user-supplied data used in the conversion process. While a direct WAF rule is unlikely to be effective, monitoring for unusual process execution patterns after checkpoint conversion could provide early detection. After upgrading, confirm the fix by attempting to convert a known-safe checkpoint and verifying that no unexpected code is executed.
Actualice la biblioteca Hugging Face Transformers a una versión posterior a la 4.57.0. Esto solucionará la vulnerabilidad de inyección de código en la función convert_config. Asegúrese de obtener la versión actualizada desde la fuente oficial de Hugging Face.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-14927 is a Remote Code Execution vulnerability in Hugging Face Transformers versions 4.57.0–4.57.0, allowing attackers to execute arbitrary code via malicious checkpoint conversion.
You are affected if you are using Hugging Face Transformers versions 4.57.0 through 4.57.0. Check your installed version using pip show transformers.
Upgrade Hugging Face Transformers to version 4.57.1 or later. Restrict access to checkpoint conversion functionality until the upgrade is complete.
While no active exploitation has been confirmed, the RCE nature of the vulnerability suggests a high likelihood of exploitation. Monitor your systems for suspicious activity.
Refer to the Hugging Face security advisory for detailed information and updates: [https://huggingface.co/docs/security/CVE-2025-14927](https://huggingface.co/docs/security/CVE-2025-14927)
requirements.txt ファイルをアップロードすると、影響の有無を即座にお知らせします。