Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/transformers@2.4.1
Typepypi
Namespace
Nametransformers
Version2.4.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-6jzg-ptkc-zfge
vulnerability_id VCID-6jzg-ptkc-zfge
summary 
Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the handling of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25012.
references
0
reference_url https://www.zerodayinitiative.com/advisories/ZDI-24-1515/
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://www.zerodayinitiative.com/advisories/ZDI-24-1515/
fixed_packages
0
url pkg:pypi/transformers@4.48.0
purl pkg:pypi/transformers@4.48.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7chd-q1tt-7fck
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.48.0
aliases CVE-2024-11394, PYSEC-2024-229
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6jzg-ptkc-zfge
1
url VCID-6wnz-1qbk-x3av
vulnerability_id VCID-6wnz-1qbk-x3av
summary Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.
references
0
reference_url https://github.com/huggingface/transformers
reference_id
reference_type
scores
url https://github.com/huggingface/transformers
1
reference_url https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce
2
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-301.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-301.yaml
3
reference_url https://huntr.com/bounties/e1a3e548-e53a-48df-b708-9ee62140963c
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://huntr.com/bounties/e1a3e548-e53a-48df-b708-9ee62140963c
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-7018
reference_id CVE-2023-7018
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-7018
5
reference_url https://github.com/advisories/GHSA-v68g-wm8c-6x7j
reference_id GHSA-v68g-wm8c-6x7j
reference_type
scores
url https://github.com/advisories/GHSA-v68g-wm8c-6x7j
fixed_packages
0
url pkg:pypi/transformers@4.36.0
purl pkg:pypi/transformers@4.36.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6jzg-ptkc-zfge
1
vulnerability VCID-7chd-q1tt-7fck
2
vulnerability VCID-aud4-pr4h-r3er
3
vulnerability VCID-mj4x-79x9-83ax
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.36.0
aliases CVE-2023-7018, GHSA-v68g-wm8c-6x7j, PYSEC-2023-301
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6wnz-1qbk-x3av
2
url VCID-7chd-q1tt-7fck
vulnerability_id VCID-7chd-q1tt-7fck
summary A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario.
references
0
reference_url https://github.com/huggingface/transformers/commit/8cb522b4190bd556ce51be04942720650b1a3e57
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://github.com/huggingface/transformers/commit/8cb522b4190bd556ce51be04942720650b1a3e57
1
reference_url https://huntr.com/bounties/97b780f3-ffca-424f-ad5d-0e1c57a5bde4
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://huntr.com/bounties/97b780f3-ffca-424f-ad5d-0e1c57a5bde4
fixed_packages
0
url pkg:pypi/transformers@4.49.0
purl pkg:pypi/transformers@4.49.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.49.0
aliases CVE-2025-2099, PYSEC-2025-40
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7chd-q1tt-7fck
3
url VCID-aud4-pr4h-r3er
vulnerability_id VCID-aud4-pr4h-r3er
summary 
Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the handling of configuration files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-24322.
references
0
reference_url https://www.zerodayinitiative.com/advisories/ZDI-24-1513/
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://www.zerodayinitiative.com/advisories/ZDI-24-1513/
fixed_packages
0
url pkg:pypi/transformers@4.48.0
purl pkg:pypi/transformers@4.48.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7chd-q1tt-7fck
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.48.0
aliases CVE-2024-11392, PYSEC-2024-227
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-aud4-pr4h-r3er
4
url VCID-mj4x-79x9-83ax
vulnerability_id VCID-mj4x-79x9-83ax
summary 
Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25191.
references
0
reference_url https://www.zerodayinitiative.com/advisories/ZDI-24-1514/
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://www.zerodayinitiative.com/advisories/ZDI-24-1514/
fixed_packages
0
url pkg:pypi/transformers@4.48.0
purl pkg:pypi/transformers@4.48.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7chd-q1tt-7fck
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.48.0
aliases CVE-2024-11393, PYSEC-2024-228
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mj4x-79x9-83ax
5
url VCID-re51-pz3b-xbc5
vulnerability_id VCID-re51-pz3b-xbc5
summary Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.
references
0
reference_url https://github.com/huggingface/transformers
reference_id
reference_type
scores
url https://github.com/huggingface/transformers
1
reference_url https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
url https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce
2
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-300.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-300.yaml
3
reference_url https://huntr.com/bounties/423611ee-7a2a-442a-babb-3ed2f8385c16
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
url https://huntr.com/bounties/423611ee-7a2a-442a-babb-3ed2f8385c16
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-6730
reference_id CVE-2023-6730
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-6730
5
reference_url https://github.com/advisories/GHSA-3863-2447-669p
reference_id GHSA-3863-2447-669p
reference_type
scores
url https://github.com/advisories/GHSA-3863-2447-669p
fixed_packages
0
url pkg:pypi/transformers@4.36.0
purl pkg:pypi/transformers@4.36.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6jzg-ptkc-zfge
1
vulnerability VCID-7chd-q1tt-7fck
2
vulnerability VCID-aud4-pr4h-r3er
3
vulnerability VCID-mj4x-79x9-83ax
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.36.0
aliases CVE-2023-6730, GHSA-3863-2447-669p, PYSEC-2023-300
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-re51-pz3b-xbc5
6
url VCID-smqc-ecxk-eqe6
vulnerability_id VCID-smqc-ecxk-eqe6
summary Insecure Temporary File in GitHub repository huggingface/transformers prior to 4.30.0.
references
0
reference_url https://github.com/huggingface/transformers
reference_id
reference_type
scores
url https://github.com/huggingface/transformers
1
reference_url https://github.com/huggingface/transformers/commit/80ca92470938bbcc348e2d9cf4734c7c25cb1c43
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
url https://github.com/huggingface/transformers/commit/80ca92470938bbcc348e2d9cf4734c7c25cb1c43
2
reference_url https://github.com/huggingface/transformers/pull/23372
reference_id
reference_type
scores
url https://github.com/huggingface/transformers/pull/23372
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-299.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-299.yaml
4
reference_url https://huntr.dev/bounties/a3867b4e-6701-4418-8c20-3c6e7084a44a
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
url https://huntr.dev/bounties/a3867b4e-6701-4418-8c20-3c6e7084a44a
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-2800
reference_id CVE-2023-2800
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-2800
6
reference_url https://github.com/advisories/GHSA-282v-666c-3fvg
reference_id GHSA-282v-666c-3fvg
reference_type
scores
url https://github.com/advisories/GHSA-282v-666c-3fvg
fixed_packages
0
url pkg:pypi/transformers@4.30.0
purl pkg:pypi/transformers@4.30.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6jzg-ptkc-zfge
1
vulnerability VCID-6wnz-1qbk-x3av
2
vulnerability VCID-7chd-q1tt-7fck
3
vulnerability VCID-aud4-pr4h-r3er
4
vulnerability VCID-mj4x-79x9-83ax
5
vulnerability VCID-re51-pz3b-xbc5
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.30.0
aliases CVE-2023-2800, GHSA-282v-666c-3fvg, PYSEC-2023-299
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-smqc-ecxk-eqe6
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/transformers@2.4.1