Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/76005?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/76005?format=api", "purl": "pkg:pypi/transformers@2.9.0", "type": "pypi", "namespace": "", "name": "transformers", "version": "2.9.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "5.0.0rc3", "latest_non_vulnerable_version": "5.0.0rc3", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/151215?format=api", "vulnerability_id": "VCID-2kd5-2rcv-97bd", "summary": "Insecure Temporary File in GitHub repository huggingface/transformers prior to 4.30.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-2800", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08656", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08662", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08616", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-2800" }, { "reference_url": "https://github.com/advisories/GHSA-282v-666c-3fvg", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-282v-666c-3fvg" }, { "reference_url": "https://github.com/huggingface/transformers", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers" }, { "reference_url": "https://github.com/huggingface/transformers/pull/23372", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/pull/23372" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-299.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-299.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2800", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2800" }, { "reference_url": "https://github.com/huggingface/transformers/commit/80ca92470938bbcc348e2d9cf4734c7c25cb1c43", "reference_id": "80ca92470938bbcc348e2d9cf4734c7c25cb1c43", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-21T20:08:31Z/" } ], "url": "https://github.com/huggingface/transformers/commit/80ca92470938bbcc348e2d9cf4734c7c25cb1c43" }, { "reference_url": "https://huntr.dev/bounties/a3867b4e-6701-4418-8c20-3c6e7084a44a", "reference_id": "a3867b4e-6701-4418-8c20-3c6e7084a44a", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-21T20:08:31Z/" } ], "url": "https://huntr.dev/bounties/a3867b4e-6701-4418-8c20-3c6e7084a44a" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/76100?format=api", "purl": "pkg:pypi/transformers@4.30.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-35kz-esn2-1yf5" }, { "vulnerability": "VCID-9766-62zk-zqcq" }, { "vulnerability": "VCID-bp68-v13h-qufq" }, { "vulnerability": "VCID-c1ab-fktw-jud2" }, { "vulnerability": "VCID-c4mh-fkqh-1qe1" }, { "vulnerability": "VCID-dnej-1umy-qfh4" }, { "vulnerability": "VCID-k7sr-ay64-syg9" }, { "vulnerability": "VCID-mu2w-a71e-4bbd" }, { "vulnerability": "VCID-pvb2-bzaz-w3bv" }, { "vulnerability": "VCID-sfgy-7173-eyby" }, { "vulnerability": "VCID-tzcs-6fp1-8yes" }, { "vulnerability": "VCID-v4bk-nagm-8bcs" }, { "vulnerability": "VCID-v72p-1gy4-syck" }, { "vulnerability": "VCID-wkqx-hf5c-8kae" }, { "vulnerability": "VCID-wqd9-k9zz-1ycz" }, { "vulnerability": "VCID-x9b5-phfp-67ac" }, { "vulnerability": "VCID-ydcb-5t2c-1fen" }, { "vulnerability": "VCID-ydge-4zba-3khn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.30.0" } ], "aliases": [ "CVE-2023-2800", "GHSA-282v-666c-3fvg", "PYSEC-2023-299" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2kd5-2rcv-97bd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/110892?format=api", "vulnerability_id": "VCID-35kz-esn2-1yf5", "summary": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the `normalize_numbers()` method of the `EnglishNormalizer` class. This vulnerability affects versions up to 4.52.4 and is fixed in version 4.53.0. The issue arises from the method's handling of numeric strings, which can be exploited using crafted input strings containing long sequences of digits, leading to excessive CPU consumption. This vulnerability impacts text-to-speech and number normalization tasks, potentially causing service disruption, resource exhaustion, and API vulnerabilities.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6051.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6051.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-6051", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10406", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10402", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10351", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-6051" }, { "reference_url": "https://github.com/huggingface/transformers", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers" }, { "reference_url": "https://github.com/huggingface/transformers/commit/54a02160eb030da9be18231c77791f2eb3a52216", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/commit/54a02160eb030da9be18231c77791f2eb3a52216" }, { "reference_url": "https://github.com/huggingface/transformers/pull/38844", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/pull/38844" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6051", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6051" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2395072", "reference_id": "2395072", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2395072" }, { "reference_url": "https://huntr.com/bounties/af929523-7b59-418a-bf55-301830b2ac9d", "reference_id": "af929523-7b59-418a-bf55-301830b2ac9d", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-15T15:59:46Z/" } ], "url": "https://huntr.com/bounties/af929523-7b59-418a-bf55-301830b2ac9d" }, { "reference_url": "https://github.com/huggingface/transformers/commit/ba8eaba9865618253f997784aa565b96206426f0", "reference_id": "ba8eaba9865618253f997784aa565b96206426f0", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-15T15:59:46Z/" } ], "url": "https://github.com/huggingface/transformers/commit/ba8eaba9865618253f997784aa565b96206426f0" }, { "reference_url": "https://github.com/advisories/GHSA-rcv9-qm8p-9p6j", "reference_id": "GHSA-rcv9-qm8p-9p6j", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-rcv9-qm8p-9p6j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376569?format=api", "purl": "pkg:pypi/transformers@4.53.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wkqx-hf5c-8kae" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.53.0" } ], "aliases": [ "CVE-2025-6051", "GHSA-rcv9-qm8p-9p6j" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-35kz-esn2-1yf5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111230?format=api", "vulnerability_id": "VCID-9766-62zk-zqcq", "summary": "The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer. The vulnerability arises from the _do_use_weight_decay method, which processes user-controlled regular expressions in the include_in_weight_decay and exclude_from_weight_decay lists. Malicious regular expressions can cause catastrophic backtracking during the re.search call, leading to 100% CPU utilization and a denial of service. This issue can be exploited by attackers who can control the patterns in these lists, potentially causing the machine learning task to hang and rendering services unresponsive.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6921.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6921.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-6921", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11878", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11795", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-6921" }, { "reference_url": "https://github.com/huggingface/transformers", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers" }, { "reference_url": "https://github.com/huggingface/transformers/commit/d37f7517972f67e3f2194c000ed0f87f064e5099", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/commit/d37f7517972f67e3f2194c000ed0f87f064e5099" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6921", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6921" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2397617", "reference_id": "2397617", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2397617" }, { "reference_url": "https://huntr.com/bounties/287d15a7-6e7c-45d2-8c05-11e305776f1f", "reference_id": "287d15a7-6e7c-45d2-8c05-11e305776f1f", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-23T14:56:14Z/" } ], "url": "https://huntr.com/bounties/287d15a7-6e7c-45d2-8c05-11e305776f1f" }, { "reference_url": "https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be", "reference_id": "47c34fba5c303576560cb29767efb452ff12b8be", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-23T14:56:14Z/" } ], "url": "https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be" }, { "reference_url": "https://github.com/advisories/GHSA-4w7r-h757-3r74", "reference_id": "GHSA-4w7r-h757-3r74", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4w7r-h757-3r74" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376569?format=api", "purl": "pkg:pypi/transformers@4.53.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wkqx-hf5c-8kae" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.53.0" } ], "aliases": [ "CVE-2025-6921", "GHSA-4w7r-h757-3r74" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9766-62zk-zqcq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/64815?format=api", "vulnerability_id": "VCID-bp68-v13h-qufq", "summary": "The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_repo_checkpoint()` function of the `TFPreTrainedModel()` class. Attackers can execute arbitrary code and commands by crafting a malicious serialized payload, exploiting the use of `pickle.load()` on data from potentially untrusted sources. This vulnerability allows for remote code execution (RCE) by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-3568", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.24427", "scoring_system": "epss", "scoring_elements": "0.96241", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.24427", "scoring_system": "epss", "scoring_elements": "0.96244", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.24427", "scoring_system": "epss", "scoring_elements": "0.9623", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-3568" }, { "reference_url": "https://github.com/huggingface/transformers", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers" }, { "reference_url": "https://github.com/huggingface/transformers/commit/693667b8ac8138b83f8adb6522ddaf42fa07c125", "reference_id": "693667b8ac8138b83f8adb6522ddaf42fa07c125", "reference_type": "", "scores": [ { "value": "3.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L" }, { "value": "3.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-14T17:57:26Z/" } ], "url": "https://github.com/huggingface/transformers/commit/693667b8ac8138b83f8adb6522ddaf42fa07c125" }, { "reference_url": "https://huntr.com/bounties/b3c36992-5264-4d7f-9906-a996efafba8f", "reference_id": "b3c36992-5264-4d7f-9906-a996efafba8f", "reference_type": "", "scores": [ { "value": "3.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L" }, { "value": "3.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-14T17:57:26Z/" } ], "url": "https://huntr.com/bounties/b3c36992-5264-4d7f-9906-a996efafba8f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3568", "reference_id": "CVE-2024-3568", "reference_type": "", "scores": [ { "value": "3.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3568" }, { "reference_url": "https://github.com/advisories/GHSA-37q5-v5qm-c9v8", "reference_id": "GHSA-37q5-v5qm-c9v8", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-37q5-v5qm-c9v8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/30314?format=api", "purl": "pkg:pypi/transformers@4.38.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-35kz-esn2-1yf5" }, { "vulnerability": "VCID-9766-62zk-zqcq" }, { "vulnerability": "VCID-c1ab-fktw-jud2" }, { "vulnerability": "VCID-c4mh-fkqh-1qe1" }, { "vulnerability": "VCID-dnej-1umy-qfh4" }, { "vulnerability": "VCID-k7sr-ay64-syg9" }, { "vulnerability": "VCID-mu2w-a71e-4bbd" }, { "vulnerability": "VCID-pvb2-bzaz-w3bv" }, { "vulnerability": "VCID-sfgy-7173-eyby" }, { "vulnerability": "VCID-tzcs-6fp1-8yes" }, { "vulnerability": "VCID-v4bk-nagm-8bcs" }, { "vulnerability": "VCID-wkqx-hf5c-8kae" }, { "vulnerability": "VCID-wqd9-k9zz-1ycz" }, { "vulnerability": "VCID-ydcb-5t2c-1fen" }, { "vulnerability": "VCID-ydge-4zba-3khn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.38.0" } ], "aliases": [ "CVE-2024-3568", "GHSA-37q5-v5qm-c9v8" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.1", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bp68-v13h-qufq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/115988?format=api", "vulnerability_id": "VCID-c1ab-fktw-jud2", "summary": "A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file `tokenization_gpt_neox_japanese.py` of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapaneseTokenizer class, where regular expressions process specially crafted inputs. The issue stems from a regex exhibiting exponential complexity under certain conditions, leading to excessive backtracking. This can result in high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.48.1 (latest).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-1194", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09691", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09642", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-1194" }, { "reference_url": "https://github.com/huggingface/transformers", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1194", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1194" }, { "reference_url": "https://huntr.com/bounties/86f58dcd-683f-4adc-a735-849f51e9abb2", "reference_id": "86f58dcd-683f-4adc-a735-849f51e9abb2", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T13:21:09Z/" } ], "url": "https://huntr.com/bounties/86f58dcd-683f-4adc-a735-849f51e9abb2" }, { "reference_url": "https://github.com/huggingface/transformers/commit/92c5ca9dd70de3ade2af2eb835c96215cc50e815", "reference_id": "92c5ca9dd70de3ade2af2eb835c96215cc50e815", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T13:21:09Z/" } ], "url": "https://github.com/huggingface/transformers/commit/92c5ca9dd70de3ade2af2eb835c96215cc50e815" }, { "reference_url": "https://github.com/advisories/GHSA-fpwr-67px-3qhx", "reference_id": "GHSA-fpwr-67px-3qhx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-fpwr-67px-3qhx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376298?format=api", "purl": "pkg:pypi/transformers@4.50.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-35kz-esn2-1yf5" }, { "vulnerability": "VCID-9766-62zk-zqcq" }, { "vulnerability": "VCID-c4mh-fkqh-1qe1" }, { "vulnerability": "VCID-dnej-1umy-qfh4" }, { "vulnerability": "VCID-fja1-xm9v-uufp" }, { "vulnerability": "VCID-pvb2-bzaz-w3bv" }, { "vulnerability": "VCID-sfgy-7173-eyby" }, { "vulnerability": "VCID-v4bk-nagm-8bcs" }, { "vulnerability": "VCID-wkqx-hf5c-8kae" }, { "vulnerability": "VCID-ydcb-5t2c-1fen" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.50.0" } ], "aliases": [ "CVE-2025-1194", "GHSA-fpwr-67px-3qhx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c1ab-fktw-jud2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/127682?format=api", "vulnerability_id": "VCID-c4mh-fkqh-1qe1", "summary": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_imports()` function within `dynamic_module_utils.py`. This vulnerability affects versions 4.49.0 and is fixed in version 4.51.0. The issue arises from a regular expression pattern `\\s*try\\s*:.*?except.*?:` used to filter out try/except blocks from Python code, which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to remote code loading disruption, resource exhaustion in model serving, supply chain attack vectors, and development pipeline disruption.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3264.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3264.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-3264", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00096", "scoring_system": "epss", "scoring_elements": "0.26745", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00096", "scoring_system": "epss", "scoring_elements": "0.26731", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00096", "scoring_system": "epss", "scoring_elements": "0.2653", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-3264" }, { "reference_url": "https://github.com/huggingface/transformers", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers" }, { "reference_url": "https://github.com/huggingface/transformers/commit/126abe3461762e5fc180e7e614391d1b4ab051ca", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/commit/126abe3461762e5fc180e7e614391d1b4ab051ca" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3264", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3264" }, { "reference_url": "https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76", "reference_id": "0720e206c6ba28887e4d60ef60a6a089f6c1cc76", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-07T14:37:34Z/" } ], "url": "https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2376768", "reference_id": "2376768", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2376768" }, { "reference_url": "https://huntr.com/bounties/3c6f7822-9992-476d-8cf0-b0b1623427df", "reference_id": "3c6f7822-9992-476d-8cf0-b0b1623427df", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-07T14:37:34Z/" } ], "url": "https://huntr.com/bounties/3c6f7822-9992-476d-8cf0-b0b1623427df" }, { "reference_url": "https://github.com/advisories/GHSA-jjph-296x-mrcr", "reference_id": "GHSA-jjph-296x-mrcr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-jjph-296x-mrcr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/378283?format=api", "purl": "pkg:pypi/transformers@4.51.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-35kz-esn2-1yf5" }, { "vulnerability": "VCID-9766-62zk-zqcq" }, { "vulnerability": "VCID-pvb2-bzaz-w3bv" }, { "vulnerability": "VCID-sfgy-7173-eyby" }, { "vulnerability": "VCID-v4bk-nagm-8bcs" }, { "vulnerability": "VCID-wkqx-hf5c-8kae" }, { "vulnerability": "VCID-ydcb-5t2c-1fen" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.51.0" } ], "aliases": [ "CVE-2025-3264", "GHSA-jjph-296x-mrcr" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c4mh-fkqh-1qe1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/127079?format=api", "vulnerability_id": "VCID-dnej-1umy-qfh4", "summary": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_configuration_file()` function within the `transformers.configuration_utils` module. The affected version is 4.49.0, and the issue is resolved in version 4.51.0. The vulnerability arises from the use of a regular expression pattern `config\\.(.*)\\.json` that can be exploited to cause excessive CPU consumption through crafted input strings, leading to catastrophic backtracking. This can result in model serving disruption, resource exhaustion, and increased latency in applications using the library.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3263.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3263.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-3263", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00096", "scoring_system": "epss", "scoring_elements": "0.2653", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00096", "scoring_system": "epss", "scoring_elements": "0.26745", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00096", "scoring_system": "epss", "scoring_elements": "0.26731", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-3263" }, { "reference_url": "https://github.com/huggingface/transformers", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers" }, { "reference_url": "https://github.com/huggingface/transformers/commit/126abe3461762e5fc180e7e614391d1b4ab051ca", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/commit/126abe3461762e5fc180e7e614391d1b4ab051ca" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3263", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3263" }, { "reference_url": "https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76", "reference_id": "0720e206c6ba28887e4d60ef60a6a089f6c1cc76", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-07T14:49:04Z/" } ], "url": "https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2376773", "reference_id": "2376773", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2376773" }, { "reference_url": "https://huntr.com/bounties/c7a69150-54f8-4e81-8094-791e7a2a0f29", "reference_id": "c7a69150-54f8-4e81-8094-791e7a2a0f29", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-07T14:49:04Z/" } ], "url": "https://huntr.com/bounties/c7a69150-54f8-4e81-8094-791e7a2a0f29" }, { "reference_url": "https://github.com/advisories/GHSA-q2wp-rjmx-x6x9", "reference_id": "GHSA-q2wp-rjmx-x6x9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-q2wp-rjmx-x6x9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/378283?format=api", "purl": "pkg:pypi/transformers@4.51.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-35kz-esn2-1yf5" }, { "vulnerability": "VCID-9766-62zk-zqcq" }, { "vulnerability": "VCID-pvb2-bzaz-w3bv" }, { "vulnerability": "VCID-sfgy-7173-eyby" }, { "vulnerability": "VCID-v4bk-nagm-8bcs" }, { "vulnerability": "VCID-wkqx-hf5c-8kae" }, { "vulnerability": "VCID-ydcb-5t2c-1fen" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.51.0" } ], "aliases": [ "CVE-2025-3263", "GHSA-q2wp-rjmx-x6x9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dnej-1umy-qfh4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/60123?format=api", "vulnerability_id": "VCID-k7sr-ay64-syg9", "summary": "Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of configuration files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-24322.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11392.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11392.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-11392", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.5929", "scoring_system": "epss", "scoring_elements": "0.98277", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.5929", "scoring_system": "epss", "scoring_elements": "0.98284", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.5929", "scoring_system": "epss", "scoring_elements": "0.98283", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-11392" }, { "reference_url": "https://github.com/advisories/GHSA-qxrp-vhvm-j765", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/advisories/GHSA-qxrp-vhvm-j765" }, { "reference_url": "https://github.com/huggingface/transformers", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers" }, { "reference_url": "https://github.com/huggingface/transformers/issues/34840", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/issues/34840" }, { "reference_url": "https://github.com/huggingface/transformers/pull/35296", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/pull/35296" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-227.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-227.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11392", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11392" }, { "reference_url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1513", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1513" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328351", "reference_id": "2328351", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328351" }, { "reference_url": "https://drive.google.com/file/d/14bnNaCRmFOQvPHUR9zQwdbjMmzKE2pZl/view?usp=drive_link", "reference_id": "CVE-2024-11392", "reference_type": "exploit", "scores": [], "url": "https://drive.google.com/file/d/14bnNaCRmFOQvPHUR9zQwdbjMmzKE2pZl/view?usp=drive_link" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/python/remote/52227.txt", "reference_id": "CVE-2024-11392", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/python/remote/52227.txt" }, { "reference_url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1513/", "reference_id": "ZDI-24-1513", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-11-26T16:33:03Z/" } ], "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1513/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/86521?format=api", "purl": "pkg:pypi/transformers@4.48.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-35kz-esn2-1yf5" }, { "vulnerability": "VCID-9766-62zk-zqcq" }, { "vulnerability": "VCID-c1ab-fktw-jud2" }, { "vulnerability": "VCID-c4mh-fkqh-1qe1" }, { "vulnerability": "VCID-dnej-1umy-qfh4" }, { "vulnerability": "VCID-pvb2-bzaz-w3bv" }, { "vulnerability": "VCID-sfgy-7173-eyby" }, { "vulnerability": "VCID-v4bk-nagm-8bcs" }, { "vulnerability": "VCID-wkqx-hf5c-8kae" }, { "vulnerability": "VCID-ydcb-5t2c-1fen" }, { "vulnerability": "VCID-ydge-4zba-3khn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.48.0" } ], "aliases": [ "CVE-2024-11392", "GHSA-qxrp-vhvm-j765", "PYSEC-2024-227" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k7sr-ay64-syg9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/59904?format=api", "vulnerability_id": "VCID-mu2w-a71e-4bbd", "summary": "Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25012.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11394.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11394.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-11394", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.65048", "scoring_system": "epss", "scoring_elements": "0.985", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.65048", "scoring_system": "epss", "scoring_elements": "0.98505", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-11394" }, { "reference_url": "https://github.com/advisories/GHSA-hxxf-235m-72v3", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/advisories/GHSA-hxxf-235m-72v3" }, { "reference_url": "https://github.com/huggingface/transformers", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers" }, { "reference_url": "https://github.com/huggingface/transformers/issues/34840", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/issues/34840" }, { "reference_url": "https://github.com/huggingface/transformers/pull/35296", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/pull/35296" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-229.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-229.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11394", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11394" }, { "reference_url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1515", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1515" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328333", "reference_id": "2328333", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328333" }, { "reference_url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1515/", "reference_id": "ZDI-24-1515", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-11-26T15:15:03Z/" } ], "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1515/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/86521?format=api", "purl": "pkg:pypi/transformers@4.48.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-35kz-esn2-1yf5" }, { "vulnerability": "VCID-9766-62zk-zqcq" }, { "vulnerability": "VCID-c1ab-fktw-jud2" }, { "vulnerability": "VCID-c4mh-fkqh-1qe1" }, { "vulnerability": "VCID-dnej-1umy-qfh4" }, { "vulnerability": "VCID-pvb2-bzaz-w3bv" }, { "vulnerability": "VCID-sfgy-7173-eyby" }, { "vulnerability": "VCID-v4bk-nagm-8bcs" }, { "vulnerability": "VCID-wkqx-hf5c-8kae" }, { "vulnerability": "VCID-ydcb-5t2c-1fen" }, { "vulnerability": "VCID-ydge-4zba-3khn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.48.0" } ], "aliases": [ "CVE-2024-11394", "GHSA-hxxf-235m-72v3", "PYSEC-2024-229" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mu2w-a71e-4bbd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111194?format=api", "vulnerability_id": "VCID-pvb2-bzaz-w3bv", "summary": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's `remove_language_code()` method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6638.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6638.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-6638", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09926", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09922", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09874", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-6638" }, { "reference_url": "https://github.com/huggingface/transformers", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers" }, { "reference_url": "https://github.com/huggingface/transformers/commit/d37f7517972f67e3f2194c000ed0f87f064e5099", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/commit/d37f7517972f67e3f2194c000ed0f87f064e5099" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6638", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6638" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2394799", "reference_id": "2394799", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2394799" }, { "reference_url": "https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be", "reference_id": "47c34fba5c303576560cb29767efb452ff12b8be", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T11:52:42Z/" } ], "url": "https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be" }, { "reference_url": "https://huntr.com/bounties/6a6c933f-9ce8-4ded-8b3b-2c1444c61f36", "reference_id": "6a6c933f-9ce8-4ded-8b3b-2c1444c61f36", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T11:52:42Z/" } ], "url": "https://huntr.com/bounties/6a6c933f-9ce8-4ded-8b3b-2c1444c61f36" }, { "reference_url": "https://github.com/advisories/GHSA-59p9-h35m-wg4g", "reference_id": "GHSA-59p9-h35m-wg4g", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-59p9-h35m-wg4g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376569?format=api", "purl": "pkg:pypi/transformers@4.53.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wkqx-hf5c-8kae" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.53.0" } ], "aliases": [ "CVE-2025-6638", "GHSA-59p9-h35m-wg4g" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pvb2-bzaz-w3bv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/127408?format=api", "vulnerability_id": "VCID-sfgy-7173-eyby", "summary": "Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image_utils.py` file. The vulnerability arises from insecure URL validation using the `startswith()` method, which can be bypassed through URL username injection. This allows attackers to craft URLs that appear to be from YouTube but resolve to malicious domains, potentially leading to phishing attacks, malware distribution, or data exfiltration. The issue is fixed in version 4.52.1.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3777.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3777.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-3777", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17627", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17803", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17787", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-3777" }, { "reference_url": "https://github.com/huggingface/transformers", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers" }, { "reference_url": "https://github.com/huggingface/transformers/blame/a7d2bbaaa8aac64f7c1ee8c1421cfe84b38359a4/src/transformers/image_utils.py", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/blame/a7d2bbaaa8aac64f7c1ee8c1421cfe84b38359a4/src/transformers/image_utils.py" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3777", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3777" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2376775", "reference_id": "2376775", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2376775" }, { "reference_url": "https://github.com/huggingface/transformers/commit/4dda5f71b35fb70cf602187eef84bb17a50b9082", "reference_id": "4dda5f71b35fb70cf602187eef84bb17a50b9082", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N" }, { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-07T12:24:47Z/" } ], "url": "https://github.com/huggingface/transformers/commit/4dda5f71b35fb70cf602187eef84bb17a50b9082" }, { "reference_url": "https://huntr.com/bounties/ccba0730-9248-4853-b7ff-5c20e6364f09", "reference_id": "ccba0730-9248-4853-b7ff-5c20e6364f09", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N" }, { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-07T12:24:47Z/" } ], "url": "https://huntr.com/bounties/ccba0730-9248-4853-b7ff-5c20e6364f09" }, { "reference_url": "https://github.com/advisories/GHSA-phhr-52qp-3mj4", "reference_id": "GHSA-phhr-52qp-3mj4", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-phhr-52qp-3mj4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/378299?format=api", "purl": "pkg:pypi/transformers@4.52.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-35kz-esn2-1yf5" }, { "vulnerability": "VCID-9766-62zk-zqcq" }, { "vulnerability": "VCID-pvb2-bzaz-w3bv" }, { "vulnerability": "VCID-v4bk-nagm-8bcs" }, { "vulnerability": "VCID-wkqx-hf5c-8kae" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.52.1" } ], "aliases": [ "CVE-2025-3777", "GHSA-phhr-52qp-3mj4" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.1", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sfgy-7173-eyby" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/59898?format=api", "vulnerability_id": "VCID-tzcs-6fp1-8yes", "summary": "Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25191.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11393.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11393.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-11393", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.79534", "scoring_system": "epss", "scoring_elements": "0.99108", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.79534", "scoring_system": "epss", "scoring_elements": "0.99112", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-11393" }, { "reference_url": "https://github.com/advisories/GHSA-wrfc-pvp9-mr9g", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/advisories/GHSA-wrfc-pvp9-mr9g" }, { "reference_url": "https://github.com/huggingface/transformers", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers" }, { "reference_url": "https://github.com/huggingface/transformers/issues/34840", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/issues/34840" }, { "reference_url": "https://github.com/huggingface/transformers/pull/35296", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/pull/35296" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-228.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-228.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11393", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11393" }, { "reference_url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1514", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1514" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328394", "reference_id": "2328394", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328394" }, { "reference_url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1514/", "reference_id": "ZDI-24-1514", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-11-26T15:15:05Z/" } ], "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1514/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/86521?format=api", "purl": "pkg:pypi/transformers@4.48.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-35kz-esn2-1yf5" }, { "vulnerability": "VCID-9766-62zk-zqcq" }, { "vulnerability": "VCID-c1ab-fktw-jud2" }, { "vulnerability": "VCID-c4mh-fkqh-1qe1" }, { "vulnerability": "VCID-dnej-1umy-qfh4" }, { "vulnerability": "VCID-pvb2-bzaz-w3bv" }, { "vulnerability": "VCID-sfgy-7173-eyby" }, { "vulnerability": "VCID-v4bk-nagm-8bcs" }, { "vulnerability": "VCID-wkqx-hf5c-8kae" }, { "vulnerability": "VCID-ydcb-5t2c-1fen" }, { "vulnerability": "VCID-ydge-4zba-3khn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.48.0" } ], "aliases": [ "CVE-2024-11393", "GHSA-wrfc-pvp9-mr9g", "PYSEC-2024-228" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tzcs-6fp1-8yes" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/99109?format=api", "vulnerability_id": "VCID-v4bk-nagm-8bcs", "summary": "A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically in the `convert_tf_weight_name_to_pt_weight_name()` function. This function, responsible for converting TensorFlow weight names to PyTorch format, uses a regex pattern `/[^/]*___([^/]*)/` that can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. The vulnerability affects versions up to 4.51.3 and is fixed in version 4.53.0. This issue can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting model conversion processes between TensorFlow and PyTorch formats.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-5197.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-5197.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-5197", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00096", "scoring_system": "epss", "scoring_elements": "0.26745", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00096", "scoring_system": "epss", "scoring_elements": "0.26731", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00096", "scoring_system": "epss", "scoring_elements": "0.2653", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-5197" }, { "reference_url": "https://github.com/huggingface/transformers", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers" }, { "reference_url": "https://github.com/huggingface/transformers/commit/701caef704e356dc2f9331cc3fd5df0eccb4720a", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/commit/701caef704e356dc2f9331cc3fd5df0eccb4720a" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5197", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5197" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2386842", "reference_id": "2386842", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2386842" }, { "reference_url": "https://huntr.com/bounties/3f8b3fd0-166b-46e7-b60f-60dd9d2678bf", "reference_id": "3f8b3fd0-166b-46e7-b60f-60dd9d2678bf", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-06T13:02:53Z/" } ], "url": "https://huntr.com/bounties/3f8b3fd0-166b-46e7-b60f-60dd9d2678bf" }, { "reference_url": "https://github.com/huggingface/transformers/commit/944b56000be5e9b61af8301aa340838770ad8a0b", "reference_id": "944b56000be5e9b61af8301aa340838770ad8a0b", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-06T13:02:53Z/" } ], "url": "https://github.com/huggingface/transformers/commit/944b56000be5e9b61af8301aa340838770ad8a0b" }, { "reference_url": "https://github.com/advisories/GHSA-9356-575x-2w9m", "reference_id": "GHSA-9356-575x-2w9m", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9356-575x-2w9m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376569?format=api", "purl": "pkg:pypi/transformers@4.53.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wkqx-hf5c-8kae" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.53.0" } ], "aliases": [ "CVE-2025-5197", "GHSA-9356-575x-2w9m" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v4bk-nagm-8bcs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/218372?format=api", "vulnerability_id": "VCID-v72p-1gy4-syck", "summary": "Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6730", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00161", "scoring_system": "epss", "scoring_elements": "0.37029", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00161", "scoring_system": "epss", "scoring_elements": "0.36823", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00161", "scoring_system": "epss", "scoring_elements": "0.37", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6730" }, { "reference_url": "https://github.com/advisories/GHSA-3863-2447-669p", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3863-2447-669p" }, { "reference_url": "https://github.com/huggingface/transformers", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers" }, { "reference_url": "https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-300.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-300.yaml" }, { "reference_url": "https://huntr.com/bounties/423611ee-7a2a-442a-babb-3ed2f8385c16", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.com/bounties/423611ee-7a2a-442a-babb-3ed2f8385c16" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6730", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6730" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81302?format=api", "purl": "pkg:pypi/transformers@4.36.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-35kz-esn2-1yf5" }, { "vulnerability": "VCID-9766-62zk-zqcq" }, { "vulnerability": "VCID-bp68-v13h-qufq" }, { "vulnerability": "VCID-c1ab-fktw-jud2" }, { "vulnerability": "VCID-c4mh-fkqh-1qe1" }, { "vulnerability": "VCID-dnej-1umy-qfh4" }, { "vulnerability": "VCID-k7sr-ay64-syg9" }, { "vulnerability": "VCID-mu2w-a71e-4bbd" }, { "vulnerability": "VCID-pvb2-bzaz-w3bv" }, { "vulnerability": "VCID-sfgy-7173-eyby" }, { "vulnerability": "VCID-tzcs-6fp1-8yes" }, { "vulnerability": "VCID-v4bk-nagm-8bcs" }, { "vulnerability": "VCID-wkqx-hf5c-8kae" }, { "vulnerability": "VCID-wqd9-k9zz-1ycz" }, { "vulnerability": "VCID-ydcb-5t2c-1fen" }, { "vulnerability": "VCID-ydge-4zba-3khn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.36.0" } ], "aliases": [ "CVE-2023-6730", "GHSA-3863-2447-669p", "PYSEC-2023-300" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v72p-1gy4-syck" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78354?format=api", "vulnerability_id": "VCID-wkqx-hf5c-8kae", "summary": "A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.load()` without the `weights_only=True` parameter. This issue affects all versions of the library supporting `torch>=2.2` when used with PyTorch versions below 2.6, as the `safe_globals()` context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as `rng_state.pth`, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1839.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1839.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1839", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06736", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06747", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06727", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1839" }, { "reference_url": "https://github.com/huggingface/transformers", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers" }, { "reference_url": "https://github.com/huggingface/transformers/releases/tag/v5.0.0rc3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/releases/tag/v5.0.0rc3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1839", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1839" }, { "reference_url": "https://github.com/huggingface/transformers/commit/03c8082ba4594c9b8d6fe190ca9bed0e5f8ca396", "reference_id": "03c8082ba4594c9b8d6fe190ca9bed0e5f8ca396", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-07T13:27:38Z/" } ], "url": "https://github.com/huggingface/transformers/commit/03c8082ba4594c9b8d6fe190ca9bed0e5f8ca396" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455854", "reference_id": "2455854", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455854" }, { "reference_url": "https://huntr.com/bounties/3c77bb97-e493-493d-9a88-c57f5c536485", "reference_id": "3c77bb97-e493-493d-9a88-c57f5c536485", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-07T13:27:38Z/" } ], "url": "https://huntr.com/bounties/3c77bb97-e493-493d-9a88-c57f5c536485" }, { "reference_url": "https://github.com/advisories/GHSA-69w3-r845-3855", "reference_id": "GHSA-69w3-r845-3855", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-69w3-r845-3855" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374227?format=api", "purl": "pkg:pypi/transformers@5.0.0rc3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@5.0.0rc3" } ], "aliases": [ "CVE-2026-1839", "GHSA-69w3-r845-3855" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wkqx-hf5c-8kae" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36509?format=api", "vulnerability_id": "VCID-wqd9-k9zz-1ycz", "summary": "A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_nougat_fast.py. The vulnerability occurs in the post_process_single() function, where a regular expression processes specially crafted input. The issue stems from the regex exhibiting exponential time complexity under certain conditions, leading to excessive backtracking. This can result in significantly high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.46.3 (latest).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12720", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00228", "scoring_system": "epss", "scoring_elements": "0.45861", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00228", "scoring_system": "epss", "scoring_elements": "0.45853", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00228", "scoring_system": "epss", "scoring_elements": "0.45706", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12720" }, { "reference_url": "https://github.com/huggingface/transformers", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12720", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12720" }, { "reference_url": "https://huntr.com/bounties/4bed1214-7835-4252-a853-22bbad891f98", "reference_id": "4bed1214-7835-4252-a853-22bbad891f98", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T13:25:17Z/" } ], "url": "https://huntr.com/bounties/4bed1214-7835-4252-a853-22bbad891f98" }, { "reference_url": "https://github.com/huggingface/transformers/commit/deac971c469bcbb182c2e52da0b82fb3bf54cccf", "reference_id": "deac971c469bcbb182c2e52da0b82fb3bf54cccf", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T13:25:17Z/" } ], "url": "https://github.com/huggingface/transformers/commit/deac971c469bcbb182c2e52da0b82fb3bf54cccf" }, { "reference_url": "https://github.com/advisories/GHSA-6rvg-6v2m-4j46", "reference_id": "GHSA-6rvg-6v2m-4j46", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6rvg-6v2m-4j46" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/86521?format=api", "purl": "pkg:pypi/transformers@4.48.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-35kz-esn2-1yf5" }, { "vulnerability": "VCID-9766-62zk-zqcq" }, { "vulnerability": "VCID-c1ab-fktw-jud2" }, { "vulnerability": "VCID-c4mh-fkqh-1qe1" }, { "vulnerability": "VCID-dnej-1umy-qfh4" }, { "vulnerability": "VCID-pvb2-bzaz-w3bv" }, { "vulnerability": "VCID-sfgy-7173-eyby" }, { "vulnerability": "VCID-v4bk-nagm-8bcs" }, { "vulnerability": "VCID-wkqx-hf5c-8kae" }, { "vulnerability": "VCID-ydcb-5t2c-1fen" }, { "vulnerability": "VCID-ydge-4zba-3khn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.48.0" } ], "aliases": [ "CVE-2024-12720", "GHSA-6rvg-6v2m-4j46" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wqd9-k9zz-1ycz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/218373?format=api", "vulnerability_id": "VCID-x9b5-phfp-67ac", "summary": "Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-7018", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00203", "scoring_system": "epss", "scoring_elements": "0.42538", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00203", "scoring_system": "epss", "scoring_elements": "0.42352", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00203", "scoring_system": "epss", "scoring_elements": "0.42515", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-7018" }, { "reference_url": "https://github.com/advisories/GHSA-v68g-wm8c-6x7j", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v68g-wm8c-6x7j" }, { "reference_url": "https://github.com/huggingface/transformers", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers" }, { "reference_url": "https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-301.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-301.yaml" }, { "reference_url": "https://huntr.com/bounties/e1a3e548-e53a-48df-b708-9ee62140963c", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.com/bounties/e1a3e548-e53a-48df-b708-9ee62140963c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7018", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7018" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81302?format=api", "purl": "pkg:pypi/transformers@4.36.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-35kz-esn2-1yf5" }, { "vulnerability": "VCID-9766-62zk-zqcq" }, { "vulnerability": "VCID-bp68-v13h-qufq" }, { "vulnerability": "VCID-c1ab-fktw-jud2" }, { "vulnerability": "VCID-c4mh-fkqh-1qe1" }, { "vulnerability": "VCID-dnej-1umy-qfh4" }, { "vulnerability": "VCID-k7sr-ay64-syg9" }, { "vulnerability": "VCID-mu2w-a71e-4bbd" }, { "vulnerability": "VCID-pvb2-bzaz-w3bv" }, { "vulnerability": "VCID-sfgy-7173-eyby" }, { "vulnerability": "VCID-tzcs-6fp1-8yes" }, { "vulnerability": "VCID-v4bk-nagm-8bcs" }, { "vulnerability": "VCID-wkqx-hf5c-8kae" }, { "vulnerability": "VCID-wqd9-k9zz-1ycz" }, { "vulnerability": "VCID-ydcb-5t2c-1fen" }, { "vulnerability": "VCID-ydge-4zba-3khn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.36.0" } ], "aliases": [ "CVE-2023-7018", "GHSA-v68g-wm8c-6x7j", "PYSEC-2023-301" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x9b5-phfp-67ac" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/127690?format=api", "vulnerability_id": "VCID-ydcb-5t2c-1fen", "summary": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's `token2json()` method. This vulnerability affects versions 4.50.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern `<s_(.*?)>` which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3933.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3933.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-3933", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25244", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25458", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25441", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-3933" }, { "reference_url": "https://github.com/huggingface/transformers", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers" }, { "reference_url": "https://github.com/huggingface/transformers/pull/37788", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/pull/37788" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3933", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3933" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379517", "reference_id": "2379517", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379517" }, { "reference_url": "https://huntr.com/bounties/25282953-5827-4384-bb6f-5790d275721b", "reference_id": "25282953-5827-4384-bb6f-5790d275721b", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-11T14:34:20Z/" } ], "url": "https://huntr.com/bounties/25282953-5827-4384-bb6f-5790d275721b" }, { "reference_url": "https://github.com/huggingface/transformers/commit/ebbe9b12dd75b69f92100d684c47f923ee262a93", "reference_id": "ebbe9b12dd75b69f92100d684c47f923ee262a93", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-11T14:34:20Z/" } ], "url": "https://github.com/huggingface/transformers/commit/ebbe9b12dd75b69f92100d684c47f923ee262a93" }, { "reference_url": "https://github.com/advisories/GHSA-37mw-44qp-f5jm", "reference_id": "GHSA-37mw-44qp-f5jm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-37mw-44qp-f5jm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/378299?format=api", "purl": "pkg:pypi/transformers@4.52.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-35kz-esn2-1yf5" }, { "vulnerability": "VCID-9766-62zk-zqcq" }, { "vulnerability": "VCID-pvb2-bzaz-w3bv" }, { "vulnerability": "VCID-v4bk-nagm-8bcs" }, { "vulnerability": "VCID-wkqx-hf5c-8kae" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.52.1" } ], "aliases": [ "CVE-2025-3933", "GHSA-37mw-44qp-f5jm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ydcb-5t2c-1fen" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/126250?format=api", "vulnerability_id": "VCID-ydge-4zba-3khn", "summary": "A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-2099.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-2099.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-2099", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00092", "scoring_system": "epss", "scoring_elements": "0.26027", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00092", "scoring_system": "epss", "scoring_elements": "0.25811", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00092", "scoring_system": "epss", "scoring_elements": "0.26011", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-2099" }, { "reference_url": "https://github.com/advisories/GHSA-qq3j-4f4f-9583", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://github.com/advisories/GHSA-qq3j-4f4f-9583" }, { "reference_url": "https://github.com/huggingface/transformers", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers" }, { "reference_url": "https://github.com/huggingface/transformers/pull/36648", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/huggingface/transformers/pull/36648" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2025-40.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2025-40.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2099", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2099" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2367239", "reference_id": "2367239", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2367239" }, { "reference_url": "https://github.com/huggingface/transformers/commit/8cb522b4190bd556ce51be04942720650b1a3e57", "reference_id": "8cb522b4190bd556ce51be04942720650b1a3e57", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-19T13:38:03Z/" } ], "url": "https://github.com/huggingface/transformers/commit/8cb522b4190bd556ce51be04942720650b1a3e57" }, { "reference_url": "https://huntr.com/bounties/97b780f3-ffca-424f-ad5d-0e1c57a5bde4", "reference_id": "97b780f3-ffca-424f-ad5d-0e1c57a5bde4", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-19T13:38:03Z/" } ], "url": "https://huntr.com/bounties/97b780f3-ffca-424f-ad5d-0e1c57a5bde4" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:12791", "reference_id": "RHSA-2025:12791", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:12791" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/87673?format=api", "purl": "pkg:pypi/transformers@4.49.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-35kz-esn2-1yf5" }, { "vulnerability": "VCID-9766-62zk-zqcq" }, { "vulnerability": "VCID-c1ab-fktw-jud2" }, { "vulnerability": "VCID-c4mh-fkqh-1qe1" }, { "vulnerability": "VCID-dnej-1umy-qfh4" }, { "vulnerability": "VCID-fja1-xm9v-uufp" }, { "vulnerability": "VCID-pvb2-bzaz-w3bv" }, { "vulnerability": "VCID-sfgy-7173-eyby" }, { "vulnerability": "VCID-v4bk-nagm-8bcs" }, { "vulnerability": "VCID-wkqx-hf5c-8kae" }, { "vulnerability": "VCID-ydcb-5t2c-1fen" }, { "vulnerability": "VCID-ydge-4zba-3khn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.49.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/376298?format=api", "purl": "pkg:pypi/transformers@4.50.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-35kz-esn2-1yf5" }, { "vulnerability": "VCID-9766-62zk-zqcq" }, { "vulnerability": "VCID-c4mh-fkqh-1qe1" }, { "vulnerability": "VCID-dnej-1umy-qfh4" }, { "vulnerability": "VCID-fja1-xm9v-uufp" }, { "vulnerability": "VCID-pvb2-bzaz-w3bv" }, { "vulnerability": "VCID-sfgy-7173-eyby" }, { "vulnerability": "VCID-v4bk-nagm-8bcs" }, { "vulnerability": "VCID-wkqx-hf5c-8kae" }, { "vulnerability": "VCID-ydcb-5t2c-1fen" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.50.0" } ], "aliases": [ "CVE-2025-2099", "GHSA-qq3j-4f4f-9583", "PYSEC-2025-40" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ydge-4zba-3khn" } ], "fixing_vulnerabilities": [], "risk_score": "10.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@2.9.0" }