CVE-2025-14927
Code Injection in Hugging Face Transformers convert_config Function
Publication date: 2025-12-23
Last updated on: 2025-12-23
Assigner: Zero Day Initiative
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hugging_face | transformers | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker to execute arbitrary code on your system with the privileges of the current user. This can lead to unauthorized access, data theft, system compromise, or disruption of services depending on the permissions of the user running the vulnerable software. [1]
Can you explain this vulnerability to me?
This vulnerability is a remote code execution flaw in the Hugging Face Transformers library, specifically in the convert_config function. It occurs because the function does not properly validate a user-supplied string before executing it as Python code. An attacker can exploit this by tricking a user into converting a malicious checkpoint, which then allows the attacker to run arbitrary code with the same privileges as the current user. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid converting untrusted or malicious checkpoints using the convert_config function in the Hugging Face Transformers library. Ensure that only trusted sources are used for checkpoint conversion to prevent execution of arbitrary code. Additionally, monitor for updates or patches from Hugging Face that address this vulnerability and apply them promptly. [1]