CVE-2025-14931
Deserialization RCE in Hugging Face smolagents Without Authentication
Publication date: 2025-12-23
Last updated on: 2025-12-23
Assigner: Zero Day Initiative
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hugging_face | smolagents | 3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows remote attackers to execute arbitrary code with the privileges of the service account, potentially compromising the confidentiality, integrity, and availability of the affected system. Such a compromise could lead to unauthorized access or disclosure of sensitive data, which may result in non-compliance with standards and regulations like GDPR and HIPAA that require protection of personal and health information. However, specific impacts on compliance are not detailed in the provided resources. [1]
Can you explain this vulnerability to me?
This vulnerability in Hugging Face smolagents involves improper validation when parsing pickle data, which leads to deserialization of untrusted data. This flaw allows remote attackers to execute arbitrary code on affected systems without needing authentication, by exploiting the way the software processes user-supplied data. [1]
How can this vulnerability impact me? :
Exploitation of this vulnerability can allow attackers to execute arbitrary code with the privileges of the service account running smolagents. This can lead to full compromise of the affected system, impacting confidentiality, integrity, and availability of data and services. [1]