Search for packages
| purl | pkg:pypi/transformers@4.15.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-6jzg-ptkc-zfge
Aliases: CVE-2024-11394 PYSEC-2024-229 |
Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25012. |
Affected by 1 other vulnerability. |
|
VCID-6wnz-1qbk-x3av
Aliases: CVE-2023-7018 GHSA-v68g-wm8c-6x7j PYSEC-2023-301 |
Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36. |
Affected by 4 other vulnerabilities. |
|
VCID-7chd-q1tt-7fck
Aliases: CVE-2025-2099 PYSEC-2025-40 |
A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario. |
Affected by 0 other vulnerabilities. |
|
VCID-aud4-pr4h-r3er
Aliases: CVE-2024-11392 PYSEC-2024-227 |
Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of configuration files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-24322. |
Affected by 1 other vulnerability. |
|
VCID-mj4x-79x9-83ax
Aliases: CVE-2024-11393 PYSEC-2024-228 |
Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25191. |
Affected by 1 other vulnerability. |
|
VCID-re51-pz3b-xbc5
Aliases: CVE-2023-6730 GHSA-3863-2447-669p PYSEC-2023-300 |
Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36. |
Affected by 4 other vulnerabilities. |
|
VCID-smqc-ecxk-eqe6
Aliases: CVE-2023-2800 GHSA-282v-666c-3fvg PYSEC-2023-299 |
Insecure Temporary File in GitHub repository huggingface/transformers prior to 4.30.0. |
Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||