Plataforma
python
Componente
transformers
Corrigido em
4.57.1
CVE-2025-14928 is a Remote Code Execution (RCE) vulnerability affecting Hugging Face Transformers versions 4.57.0 through 4.57.0. This flaw arises from insufficient validation of user-supplied input within the convert_config function, allowing an attacker to execute arbitrary code. A fix is available in version 4.57.1, requiring users to update their installations to mitigate the risk.
An attacker can exploit this vulnerability by crafting a malicious checkpoint file and enticing a user to convert it using Hugging Face Transformers. Successful exploitation allows the attacker to execute arbitrary code on the affected system with the privileges of the user running the Transformers library. This could lead to complete system compromise, data exfiltration, or installation of malware. The requirement for user interaction (converting the checkpoint) limits the immediate blast radius, but widespread use of Transformers in machine learning pipelines increases the potential for exploitation across numerous environments. This vulnerability shares similarities with other code injection flaws where unchecked user input is used in code execution contexts.
CVE-2025-14928 was published on December 23, 2025. There is no indication of this vulnerability being actively exploited at this time. The EPSS score is pending evaluation. No public proof-of-concept (PoC) code has been released as of the publication date.
Machine learning engineers and data scientists using Hugging Face Transformers in their workflows are at risk. Specifically, those using version 4.57.0 and deploying models in environments where they process user-provided checkpoint files are particularly vulnerable. Shared hosting environments where multiple users can upload and process checkpoints also present a heightened risk.
• python / transformers:
import os
import subprocess
# Check for vulnerable version
result = subprocess.run(['pip', 'show', 'transformers'], capture_output=True, text=True)
if 'Version: 4.57.0' in result.stdout:
print('Vulnerable version detected!')• python / transformers: Monitor for processes executing Transformers with unusual command-line arguments related to checkpoint conversion.
• generic web: Monitor web server access logs for requests to endpoints that trigger the convert_config function with potentially malicious checkpoint files.
disclosure
Status do Exploit
EPSS
0.10% (percentil 27%)
CISA SSVC
Vetor CVSS
The primary mitigation is to upgrade Hugging Face Transformers to version 4.57.1 or later. If upgrading is not immediately feasible, consider implementing input validation on checkpoint files before processing them. Restrict access to the convert_config function and the directories where checkpoints are stored. Employ a Web Application Firewall (WAF) to filter potentially malicious checkpoint files based on known patterns or signatures. Monitor system logs for unusual activity related to checkpoint conversion processes. After upgrading, confirm the fix by attempting to convert a known malicious checkpoint (in a safe, isolated environment) and verifying that the code execution is prevented.
Actualice la biblioteca Hugging Face Transformers a una versión posterior a 4.57.0. Esto solucionará la vulnerabilidad de ejecución remota de código. Asegúrese de obtener la actualización de una fuente confiable.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-14928 is a Remote Code Execution vulnerability in Hugging Face Transformers versions 4.57.0–4.57.0. It allows attackers to execute arbitrary code by exploiting a flaw in the checkpoint conversion process.
You are affected if you are using Hugging Face Transformers version 4.57.0. Check your installed version and upgrade if necessary.
Upgrade Hugging Face Transformers to version 4.57.1 or later. Consider input validation and access restrictions as interim measures.
There is currently no evidence of active exploitation of CVE-2025-14928, but it is crucial to apply the patch proactively.
Refer to the Hugging Face security advisory for detailed information and updates: [https://huggingface.co/docs/security/CVE-2025-14928](https://huggingface.co/docs/security/CVE-2025-14928)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo requirements.txt e descubra na hora se você está afetado.