Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/38379?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/38379?format=api", "purl": "pkg:pypi/transformers@4.30.2", "type": "pypi", "namespace": "", "name": "transformers", "version": "4.30.2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "4.50.0", "latest_non_vulnerable_version": "5.0.0rc3", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36942?format=api", "vulnerability_id": "VCID-6jzg-ptkc-zfge", "summary": "Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25012.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11394.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11394.json" }, { "reference_url": "https://github.com/huggingface/transformers", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers" }, { "reference_url": "https://github.com/huggingface/transformers/issues/34840", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/issues/34840" }, { "reference_url": "https://github.com/huggingface/transformers/pull/35296", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/pull/35296" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-229.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-229.yaml" }, { "reference_url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1515", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1515" }, { "reference_url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1515/", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1515/" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328333", "reference_id": "2328333", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328333" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11394", "reference_id": "CVE-2024-11394", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11394" }, { "reference_url": "https://github.com/advisories/GHSA-hxxf-235m-72v3", "reference_id": "GHSA-hxxf-235m-72v3", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hxxf-235m-72v3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/43961?format=api", "purl": "pkg:pypi/transformers@4.48.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7chd-q1tt-7fck" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.48.0" } ], "aliases": [ "CVE-2024-11394", "GHSA-hxxf-235m-72v3", "PYSEC-2024-229" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6jzg-ptkc-zfge" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36649?format=api", "vulnerability_id": "VCID-6wnz-1qbk-x3av", "summary": "Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.", "references": [ { "reference_url": "https://github.com/huggingface/transformers", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers" }, { "reference_url": "https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-301.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-301.yaml" }, { "reference_url": "https://huntr.com/bounties/e1a3e548-e53a-48df-b708-9ee62140963c", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.com/bounties/e1a3e548-e53a-48df-b708-9ee62140963c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7018", "reference_id": "CVE-2023-7018", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7018" }, { "reference_url": "https://github.com/advisories/GHSA-v68g-wm8c-6x7j", "reference_id": "GHSA-v68g-wm8c-6x7j", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-v68g-wm8c-6x7j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38392?format=api", "purl": "pkg:pypi/transformers@4.36.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6jzg-ptkc-zfge" }, { "vulnerability": "VCID-7chd-q1tt-7fck" }, { "vulnerability": "VCID-aud4-pr4h-r3er" }, { "vulnerability": "VCID-mj4x-79x9-83ax" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.36.0" } ], "aliases": [ "CVE-2023-7018", "GHSA-v68g-wm8c-6x7j", "PYSEC-2023-301" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6wnz-1qbk-x3av" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37062?format=api", "vulnerability_id": "VCID-7chd-q1tt-7fck", "summary": "A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-2099.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-2099.json" }, { "reference_url": "https://github.com/huggingface/transformers", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers" }, { "reference_url": "https://github.com/huggingface/transformers/commit/8cb522b4190bd556ce51be04942720650b1a3e57", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/commit/8cb522b4190bd556ce51be04942720650b1a3e57" }, { "reference_url": "https://github.com/huggingface/transformers/pull/36648", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/pull/36648" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2025-40.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2025-40.yaml" }, { "reference_url": "https://huntr.com/bounties/97b780f3-ffca-424f-ad5d-0e1c57a5bde4", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.com/bounties/97b780f3-ffca-424f-ad5d-0e1c57a5bde4" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2367239", "reference_id": "2367239", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2367239" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2099", "reference_id": "CVE-2025-2099", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2099" }, { "reference_url": "https://github.com/advisories/GHSA-qq3j-4f4f-9583", "reference_id": "GHSA-qq3j-4f4f-9583", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-qq3j-4f4f-9583" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:12791", "reference_id": "RHSA-2025:12791", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:12791" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/45247?format=api", "purl": "pkg:pypi/transformers@4.49.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-msje-w8r1-wkh8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.49.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/84976?format=api", "purl": "pkg:pypi/transformers@4.50.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.50.0" } ], "aliases": [ "CVE-2025-2099", "GHSA-qq3j-4f4f-9583", "PYSEC-2025-40" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7chd-q1tt-7fck" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36940?format=api", "vulnerability_id": "VCID-aud4-pr4h-r3er", "summary": "Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of configuration files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-24322.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11392.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11392.json" }, { "reference_url": "https://github.com/huggingface/transformers", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers" }, { "reference_url": "https://github.com/huggingface/transformers/issues/34840", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/issues/34840" }, { "reference_url": "https://github.com/huggingface/transformers/pull/35296", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/pull/35296" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-227.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-227.yaml" }, { "reference_url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1513", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1513" }, { "reference_url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1513/", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1513/" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328351", "reference_id": "2328351", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328351" }, { "reference_url": "https://drive.google.com/file/d/14bnNaCRmFOQvPHUR9zQwdbjMmzKE2pZl/view?usp=drive_link", "reference_id": "CVE-2024-11392", "reference_type": "exploit", "scores": [], "url": "https://drive.google.com/file/d/14bnNaCRmFOQvPHUR9zQwdbjMmzKE2pZl/view?usp=drive_link" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/python/remote/52227.txt", "reference_id": "CVE-2024-11392", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/python/remote/52227.txt" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11392", "reference_id": "CVE-2024-11392", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11392" }, { "reference_url": "https://github.com/advisories/GHSA-qxrp-vhvm-j765", "reference_id": "GHSA-qxrp-vhvm-j765", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-qxrp-vhvm-j765" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/43961?format=api", "purl": "pkg:pypi/transformers@4.48.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7chd-q1tt-7fck" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.48.0" } ], "aliases": [ "CVE-2024-11392", "GHSA-qxrp-vhvm-j765", "PYSEC-2024-227" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-aud4-pr4h-r3er" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36941?format=api", "vulnerability_id": "VCID-mj4x-79x9-83ax", "summary": "Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25191.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11393.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11393.json" }, { "reference_url": "https://github.com/huggingface/transformers", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers" }, { "reference_url": "https://github.com/huggingface/transformers/issues/34840", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/issues/34840" }, { "reference_url": "https://github.com/huggingface/transformers/pull/35296", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/pull/35296" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-228.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-228.yaml" }, { "reference_url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1514", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1514" }, { "reference_url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1514/", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1514/" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328394", "reference_id": "2328394", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328394" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11393", "reference_id": "CVE-2024-11393", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11393" }, { "reference_url": "https://github.com/advisories/GHSA-wrfc-pvp9-mr9g", "reference_id": "GHSA-wrfc-pvp9-mr9g", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wrfc-pvp9-mr9g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/43961?format=api", "purl": "pkg:pypi/transformers@4.48.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7chd-q1tt-7fck" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.48.0" } ], "aliases": [ "CVE-2024-11393", "GHSA-wrfc-pvp9-mr9g", "PYSEC-2024-228" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mj4x-79x9-83ax" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36648?format=api", "vulnerability_id": "VCID-re51-pz3b-xbc5", "summary": "Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.", "references": [ { "reference_url": "https://github.com/huggingface/transformers", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers" }, { "reference_url": "https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-300.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-300.yaml" }, { "reference_url": "https://huntr.com/bounties/423611ee-7a2a-442a-babb-3ed2f8385c16", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.com/bounties/423611ee-7a2a-442a-babb-3ed2f8385c16" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6730", "reference_id": "CVE-2023-6730", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6730" }, { "reference_url": "https://github.com/advisories/GHSA-3863-2447-669p", "reference_id": "GHSA-3863-2447-669p", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3863-2447-669p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38392?format=api", "purl": "pkg:pypi/transformers@4.36.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6jzg-ptkc-zfge" }, { "vulnerability": "VCID-7chd-q1tt-7fck" }, { "vulnerability": "VCID-aud4-pr4h-r3er" }, { "vulnerability": "VCID-mj4x-79x9-83ax" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.36.0" } ], "aliases": [ "CVE-2023-6730", "GHSA-3863-2447-669p", "PYSEC-2023-300" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-re51-pz3b-xbc5" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.30.2" }