{"url":"http://public2.vulnerablecode.io/api/packages/33660?format=json","purl":"pkg:pypi/transformers@2.5.0","type":"pypi","namespace":"","name":"transformers","version":"2.5.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"4.50.0","latest_non_vulnerable_version":"5.0.0rc3","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36942?format=json","vulnerability_id":"VCID-6jzg-ptkc-zfge","summary":"Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25012.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11394.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11394.json"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/issues/34840","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/issues/34840"},{"reference_url":"https://github.com/huggingface/transformers/pull/35296","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/pull/35296"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-229.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-229.yaml"},{"reference_url":"https://www.zerodayinitiative.com/advisories/ZDI-24-1515","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.zerodayinitiative.com/advisories/ZDI-24-1515"},{"reference_url":"https://www.zerodayinitiative.com/advisories/ZDI-24-1515/","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://www.zerodayinitiative.com/advisories/ZDI-24-1515/"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2328333","reference_id":"2328333","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2328333"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-11394","reference_id":"CVE-2024-11394","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-11394"},{"reference_url":"https://github.com/advisories/GHSA-hxxf-235m-72v3","reference_id":"GHSA-hxxf-235m-72v3","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-hxxf-235m-72v3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43961?format=json","purl":"pkg:pypi/transformers@4.48.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7chd-q1tt-7fck"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.48.0"}],"aliases":["CVE-2024-11394","GHSA-hxxf-235m-72v3","PYSEC-2024-229"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6jzg-ptkc-zfge"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36649?format=json","vulnerability_id":"VCID-6wnz-1qbk-x3av","summary":"Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.","references":[{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-301.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-301.yaml"},{"reference_url":"https://huntr.com/bounties/e1a3e548-e53a-48df-b708-9ee62140963c","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.com/bounties/e1a3e548-e53a-48df-b708-9ee62140963c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-7018","reference_id":"CVE-2023-7018","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-7018"},{"reference_url":"https://github.com/advisories/GHSA-v68g-wm8c-6x7j","reference_id":"GHSA-v68g-wm8c-6x7j","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-v68g-wm8c-6x7j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38392?format=json","purl":"pkg:pypi/transformers@4.36.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6jzg-ptkc-zfge"},{"vulnerability":"VCID-7chd-q1tt-7fck"},{"vulnerability":"VCID-aud4-pr4h-r3er"},{"vulnerability":"VCID-mj4x-79x9-83ax"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.36.0"}],"aliases":["CVE-2023-7018","GHSA-v68g-wm8c-6x7j","PYSEC-2023-301"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6wnz-1qbk-x3av"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37062?format=json","vulnerability_id":"VCID-7chd-q1tt-7fck","summary":"A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-2099.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-2099.json"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/commit/8cb522b4190bd556ce51be04942720650b1a3e57","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/commit/8cb522b4190bd556ce51be04942720650b1a3e57"},{"reference_url":"https://github.com/huggingface/transformers/pull/36648","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/pull/36648"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2025-40.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2025-40.yaml"},{"reference_url":"https://huntr.com/bounties/97b780f3-ffca-424f-ad5d-0e1c57a5bde4","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.com/bounties/97b780f3-ffca-424f-ad5d-0e1c57a5bde4"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2367239","reference_id":"2367239","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2367239"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-2099","reference_id":"CVE-2025-2099","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-2099"},{"reference_url":"https://github.com/advisories/GHSA-qq3j-4f4f-9583","reference_id":"GHSA-qq3j-4f4f-9583","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-qq3j-4f4f-9583"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:12791","reference_id":"RHSA-2025:12791","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:12791"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/45247?format=json","purl":"pkg:pypi/transformers@4.49.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-msje-w8r1-wkh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.49.0"},{"url":"http://public2.vulnerablecode.io/api/packages/84976?format=json","purl":"pkg:pypi/transformers@4.50.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.50.0"}],"aliases":["CVE-2025-2099","GHSA-qq3j-4f4f-9583","PYSEC-2025-40"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7chd-q1tt-7fck"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36940?format=json","vulnerability_id":"VCID-aud4-pr4h-r3er","summary":"Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of configuration files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-24322.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11392.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11392.json"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/issues/34840","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/issues/34840"},{"reference_url":"https://github.com/huggingface/transformers/pull/35296","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/pull/35296"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-227.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-227.yaml"},{"reference_url":"https://www.zerodayinitiative.com/advisories/ZDI-24-1513","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.zerodayinitiative.com/advisories/ZDI-24-1513"},{"reference_url":"https://www.zerodayinitiative.com/advisories/ZDI-24-1513/","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://www.zerodayinitiative.com/advisories/ZDI-24-1513/"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2328351","reference_id":"2328351","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2328351"},{"reference_url":"https://drive.google.com/file/d/14bnNaCRmFOQvPHUR9zQwdbjMmzKE2pZl/view?usp=drive_link","reference_id":"CVE-2024-11392","reference_type":"exploit","scores":[],"url":"https://drive.google.com/file/d/14bnNaCRmFOQvPHUR9zQwdbjMmzKE2pZl/view?usp=drive_link"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/python/remote/52227.txt","reference_id":"CVE-2024-11392","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/python/remote/52227.txt"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-11392","reference_id":"CVE-2024-11392","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-11392"},{"reference_url":"https://github.com/advisories/GHSA-qxrp-vhvm-j765","reference_id":"GHSA-qxrp-vhvm-j765","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-qxrp-vhvm-j765"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43961?format=json","purl":"pkg:pypi/transformers@4.48.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7chd-q1tt-7fck"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.48.0"}],"aliases":["CVE-2024-11392","GHSA-qxrp-vhvm-j765","PYSEC-2024-227"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-aud4-pr4h-r3er"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36941?format=json","vulnerability_id":"VCID-mj4x-79x9-83ax","summary":"Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25191.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11393.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11393.json"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/issues/34840","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/issues/34840"},{"reference_url":"https://github.com/huggingface/transformers/pull/35296","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/pull/35296"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-228.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-228.yaml"},{"reference_url":"https://www.zerodayinitiative.com/advisories/ZDI-24-1514","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.zerodayinitiative.com/advisories/ZDI-24-1514"},{"reference_url":"https://www.zerodayinitiative.com/advisories/ZDI-24-1514/","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://www.zerodayinitiative.com/advisories/ZDI-24-1514/"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2328394","reference_id":"2328394","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2328394"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-11393","reference_id":"CVE-2024-11393","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-11393"},{"reference_url":"https://github.com/advisories/GHSA-wrfc-pvp9-mr9g","reference_id":"GHSA-wrfc-pvp9-mr9g","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-wrfc-pvp9-mr9g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43961?format=json","purl":"pkg:pypi/transformers@4.48.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7chd-q1tt-7fck"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.48.0"}],"aliases":["CVE-2024-11393","GHSA-wrfc-pvp9-mr9g","PYSEC-2024-228"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mj4x-79x9-83ax"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36648?format=json","vulnerability_id":"VCID-re51-pz3b-xbc5","summary":"Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.","references":[{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-300.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-300.yaml"},{"reference_url":"https://huntr.com/bounties/423611ee-7a2a-442a-babb-3ed2f8385c16","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.com/bounties/423611ee-7a2a-442a-babb-3ed2f8385c16"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6730","reference_id":"CVE-2023-6730","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6730"},{"reference_url":"https://github.com/advisories/GHSA-3863-2447-669p","reference_id":"GHSA-3863-2447-669p","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3863-2447-669p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38392?format=json","purl":"pkg:pypi/transformers@4.36.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6jzg-ptkc-zfge"},{"vulnerability":"VCID-7chd-q1tt-7fck"},{"vulnerability":"VCID-aud4-pr4h-r3er"},{"vulnerability":"VCID-mj4x-79x9-83ax"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.36.0"}],"aliases":["CVE-2023-6730","GHSA-3863-2447-669p","PYSEC-2023-300"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-re51-pz3b-xbc5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36446?format=json","vulnerability_id":"VCID-smqc-ecxk-eqe6","summary":"Insecure Temporary File in GitHub repository huggingface/transformers prior to 4.30.0.","references":[{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/commit/80ca92470938bbcc348e2d9cf4734c7c25cb1c43","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/commit/80ca92470938bbcc348e2d9cf4734c7c25cb1c43"},{"reference_url":"https://github.com/huggingface/transformers/pull/23372","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/pull/23372"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-299.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-299.yaml"},{"reference_url":"https://huntr.dev/bounties/a3867b4e-6701-4418-8c20-3c6e7084a44a","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/a3867b4e-6701-4418-8c20-3c6e7084a44a"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2800","reference_id":"CVE-2023-2800","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2800"},{"reference_url":"https://github.com/advisories/GHSA-282v-666c-3fvg","reference_id":"GHSA-282v-666c-3fvg","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-282v-666c-3fvg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33760?format=json","purl":"pkg:pypi/transformers@4.30.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6jzg-ptkc-zfge"},{"vulnerability":"VCID-6wnz-1qbk-x3av"},{"vulnerability":"VCID-7chd-q1tt-7fck"},{"vulnerability":"VCID-aud4-pr4h-r3er"},{"vulnerability":"VCID-mj4x-79x9-83ax"},{"vulnerability":"VCID-re51-pz3b-xbc5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.30.0"}],"aliases":["CVE-2023-2800","GHSA-282v-666c-3fvg","PYSEC-2023-299"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-smqc-ecxk-eqe6"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@2.5.0"}