{"url":"http://public2.vulnerablecode.io/api/packages/75994?format=json","purl":"pkg:pypi/transformers@2.2.0","type":"pypi","namespace":"","name":"transformers","version":"2.2.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.0.0rc3","latest_non_vulnerable_version":"5.0.0rc3","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/151215?format=json","vulnerability_id":"VCID-2kd5-2rcv-97bd","summary":"Insecure Temporary File in GitHub repository huggingface/transformers prior to 4.30.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-2800","reference_id":"","reference_type":"","scores":[{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08656","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08616","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-2800"},{"reference_url":"https://github.com/advisories/GHSA-282v-666c-3fvg","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-282v-666c-3fvg"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/pull/23372","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/pull/23372"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-299.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-299.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2800","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2800"},{"reference_url":"https://github.com/huggingface/transformers/commit/80ca92470938bbcc348e2d9cf4734c7c25cb1c43","reference_id":"80ca92470938bbcc348e2d9cf4734c7c25cb1c43","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-21T20:08:31Z/"}],"url":"https://github.com/huggingface/transformers/commit/80ca92470938bbcc348e2d9cf4734c7c25cb1c43"},{"reference_url":"https://huntr.dev/bounties/a3867b4e-6701-4418-8c20-3c6e7084a44a","reference_id":"a3867b4e-6701-4418-8c20-3c6e7084a44a","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-21T20:08:31Z/"}],"url":"https://huntr.dev/bounties/a3867b4e-6701-4418-8c20-3c6e7084a44a"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/76100?format=json","purl":"pkg:pypi/transformers@4.30.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-35kz-esn2-1yf5"},{"vulnerability":"VCID-9766-62zk-zqcq"},{"vulnerability":"VCID-bp68-v13h-qufq"},{"vulnerability":"VCID-c1ab-fktw-jud2"},{"vulnerability":"VCID-c4mh-fkqh-1qe1"},{"vulnerability":"VCID-dnej-1umy-qfh4"},{"vulnerability":"VCID-k7sr-ay64-syg9"},{"vulnerability":"VCID-mu2w-a71e-4bbd"},{"vulnerability":"VCID-pvb2-bzaz-w3bv"},{"vulnerability":"VCID-sfgy-7173-eyby"},{"vulnerability":"VCID-tzcs-6fp1-8yes"},{"vulnerability":"VCID-v4bk-nagm-8bcs"},{"vulnerability":"VCID-v72p-1gy4-syck"},{"vulnerability":"VCID-wkqx-hf5c-8kae"},{"vulnerability":"VCID-wqd9-k9zz-1ycz"},{"vulnerability":"VCID-x9b5-phfp-67ac"},{"vulnerability":"VCID-ydcb-5t2c-1fen"},{"vulnerability":"VCID-ydge-4zba-3khn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.30.0"}],"aliases":["CVE-2023-2800","GHSA-282v-666c-3fvg","PYSEC-2023-299"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2kd5-2rcv-97bd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/110892?format=json","vulnerability_id":"VCID-35kz-esn2-1yf5","summary":"A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the `normalize_numbers()` method of the `EnglishNormalizer` class. This vulnerability affects versions up to 4.52.4 and is fixed in version 4.53.0. The issue arises from the method's handling of numeric strings, which can be exploited using crafted input strings containing long sequences of digits, leading to excessive CPU consumption. This vulnerability impacts text-to-speech and number normalization tasks, potentially causing service disruption, resource exhaustion, and API vulnerabilities.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6051.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6051.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-6051","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10402","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10351","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-6051"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/commit/54a02160eb030da9be18231c77791f2eb3a52216","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/commit/54a02160eb030da9be18231c77791f2eb3a52216"},{"reference_url":"https://github.com/huggingface/transformers/pull/38844","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/pull/38844"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6051","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6051"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2395072","reference_id":"2395072","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2395072"},{"reference_url":"https://huntr.com/bounties/af929523-7b59-418a-bf55-301830b2ac9d","reference_id":"af929523-7b59-418a-bf55-301830b2ac9d","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-15T15:59:46Z/"}],"url":"https://huntr.com/bounties/af929523-7b59-418a-bf55-301830b2ac9d"},{"reference_url":"https://github.com/huggingface/transformers/commit/ba8eaba9865618253f997784aa565b96206426f0","reference_id":"ba8eaba9865618253f997784aa565b96206426f0","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-15T15:59:46Z/"}],"url":"https://github.com/huggingface/transformers/commit/ba8eaba9865618253f997784aa565b96206426f0"},{"reference_url":"https://github.com/advisories/GHSA-rcv9-qm8p-9p6j","reference_id":"GHSA-rcv9-qm8p-9p6j","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-rcv9-qm8p-9p6j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376569?format=json","purl":"pkg:pypi/transformers@4.53.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-wkqx-hf5c-8kae"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.53.0"}],"aliases":["CVE-2025-6051","GHSA-rcv9-qm8p-9p6j"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-35kz-esn2-1yf5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/111230?format=json","vulnerability_id":"VCID-9766-62zk-zqcq","summary":"The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer. The vulnerability arises from the _do_use_weight_decay method, which processes user-controlled regular expressions in the include_in_weight_decay and exclude_from_weight_decay lists. Malicious regular expressions can cause catastrophic backtracking during the re.search call, leading to 100% CPU utilization and a denial of service. This issue can be exploited by attackers who can control the patterns in these lists, potentially causing the machine learning task to hang and rendering services unresponsive.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6921.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6921.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-6921","reference_id":"","reference_type":"","scores":[{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11878","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11795","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-6921"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/commit/d37f7517972f67e3f2194c000ed0f87f064e5099","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/commit/d37f7517972f67e3f2194c000ed0f87f064e5099"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6921","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6921"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2397617","reference_id":"2397617","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2397617"},{"reference_url":"https://huntr.com/bounties/287d15a7-6e7c-45d2-8c05-11e305776f1f","reference_id":"287d15a7-6e7c-45d2-8c05-11e305776f1f","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-23T14:56:14Z/"}],"url":"https://huntr.com/bounties/287d15a7-6e7c-45d2-8c05-11e305776f1f"},{"reference_url":"https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be","reference_id":"47c34fba5c303576560cb29767efb452ff12b8be","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-23T14:56:14Z/"}],"url":"https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be"},{"reference_url":"https://github.com/advisories/GHSA-4w7r-h757-3r74","reference_id":"GHSA-4w7r-h757-3r74","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4w7r-h757-3r74"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376569?format=json","purl":"pkg:pypi/transformers@4.53.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-wkqx-hf5c-8kae"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.53.0"}],"aliases":["CVE-2025-6921","GHSA-4w7r-h757-3r74"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9766-62zk-zqcq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/64815?format=json","vulnerability_id":"VCID-bp68-v13h-qufq","summary":"The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_repo_checkpoint()` function of the `TFPreTrainedModel()` class. Attackers can execute arbitrary code and commands by crafting a malicious serialized payload, exploiting the use of `pickle.load()` on data from potentially untrusted sources. This vulnerability allows for remote code execution (RCE) by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-3568","reference_id":"","reference_type":"","scores":[{"value":"0.24427","scoring_system":"epss","scoring_elements":"0.96241","published_at":"2026-06-12T12:55:00Z"},{"value":"0.24427","scoring_system":"epss","scoring_elements":"0.9623","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-3568"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"3.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/commit/693667b8ac8138b83f8adb6522ddaf42fa07c125","reference_id":"693667b8ac8138b83f8adb6522ddaf42fa07c125","reference_type":"","scores":[{"value":"3.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L"},{"value":"3.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-14T17:57:26Z/"}],"url":"https://github.com/huggingface/transformers/commit/693667b8ac8138b83f8adb6522ddaf42fa07c125"},{"reference_url":"https://huntr.com/bounties/b3c36992-5264-4d7f-9906-a996efafba8f","reference_id":"b3c36992-5264-4d7f-9906-a996efafba8f","reference_type":"","scores":[{"value":"3.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L"},{"value":"3.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-14T17:57:26Z/"}],"url":"https://huntr.com/bounties/b3c36992-5264-4d7f-9906-a996efafba8f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-3568","reference_id":"CVE-2024-3568","reference_type":"","scores":[{"value":"3.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-3568"},{"reference_url":"https://github.com/advisories/GHSA-37q5-v5qm-c9v8","reference_id":"GHSA-37q5-v5qm-c9v8","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-37q5-v5qm-c9v8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/30314?format=json","purl":"pkg:pypi/transformers@4.38.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-35kz-esn2-1yf5"},{"vulnerability":"VCID-9766-62zk-zqcq"},{"vulnerability":"VCID-c1ab-fktw-jud2"},{"vulnerability":"VCID-c4mh-fkqh-1qe1"},{"vulnerability":"VCID-dnej-1umy-qfh4"},{"vulnerability":"VCID-k7sr-ay64-syg9"},{"vulnerability":"VCID-mu2w-a71e-4bbd"},{"vulnerability":"VCID-pvb2-bzaz-w3bv"},{"vulnerability":"VCID-sfgy-7173-eyby"},{"vulnerability":"VCID-tzcs-6fp1-8yes"},{"vulnerability":"VCID-v4bk-nagm-8bcs"},{"vulnerability":"VCID-wkqx-hf5c-8kae"},{"vulnerability":"VCID-wqd9-k9zz-1ycz"},{"vulnerability":"VCID-ydcb-5t2c-1fen"},{"vulnerability":"VCID-ydge-4zba-3khn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.38.0"}],"aliases":["CVE-2024-3568","GHSA-37q5-v5qm-c9v8"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bp68-v13h-qufq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/115988?format=json","vulnerability_id":"VCID-c1ab-fktw-jud2","summary":"A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file `tokenization_gpt_neox_japanese.py` of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapaneseTokenizer class, where regular expressions process specially crafted inputs. The issue stems from a regex exhibiting exponential complexity under certain conditions, leading to excessive backtracking. This can result in high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.48.1 (latest).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-1194","reference_id":"","reference_type":"","scores":[{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09691","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09642","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-1194"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-1194","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-1194"},{"reference_url":"https://huntr.com/bounties/86f58dcd-683f-4adc-a735-849f51e9abb2","reference_id":"86f58dcd-683f-4adc-a735-849f51e9abb2","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T13:21:09Z/"}],"url":"https://huntr.com/bounties/86f58dcd-683f-4adc-a735-849f51e9abb2"},{"reference_url":"https://github.com/huggingface/transformers/commit/92c5ca9dd70de3ade2af2eb835c96215cc50e815","reference_id":"92c5ca9dd70de3ade2af2eb835c96215cc50e815","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T13:21:09Z/"}],"url":"https://github.com/huggingface/transformers/commit/92c5ca9dd70de3ade2af2eb835c96215cc50e815"},{"reference_url":"https://github.com/advisories/GHSA-fpwr-67px-3qhx","reference_id":"GHSA-fpwr-67px-3qhx","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-fpwr-67px-3qhx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376298?format=json","purl":"pkg:pypi/transformers@4.50.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-35kz-esn2-1yf5"},{"vulnerability":"VCID-9766-62zk-zqcq"},{"vulnerability":"VCID-c4mh-fkqh-1qe1"},{"vulnerability":"VCID-dnej-1umy-qfh4"},{"vulnerability":"VCID-fja1-xm9v-uufp"},{"vulnerability":"VCID-pvb2-bzaz-w3bv"},{"vulnerability":"VCID-sfgy-7173-eyby"},{"vulnerability":"VCID-v4bk-nagm-8bcs"},{"vulnerability":"VCID-wkqx-hf5c-8kae"},{"vulnerability":"VCID-ydcb-5t2c-1fen"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.50.0"}],"aliases":["CVE-2025-1194","GHSA-fpwr-67px-3qhx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c1ab-fktw-jud2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/127682?format=json","vulnerability_id":"VCID-c4mh-fkqh-1qe1","summary":"A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_imports()` function within `dynamic_module_utils.py`. This vulnerability affects versions 4.49.0 and is fixed in version 4.51.0. The issue arises from a regular expression pattern `\\s*try\\s*:.*?except.*?:` used to filter out try/except blocks from Python code, which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to remote code loading disruption, resource exhaustion in model serving, supply chain attack vectors, and development pipeline disruption.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3264.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3264.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-3264","reference_id":"","reference_type":"","scores":[{"value":"0.00096","scoring_system":"epss","scoring_elements":"0.26731","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00096","scoring_system":"epss","scoring_elements":"0.2653","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-3264"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/commit/126abe3461762e5fc180e7e614391d1b4ab051ca","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/commit/126abe3461762e5fc180e7e614391d1b4ab051ca"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3264","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3264"},{"reference_url":"https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76","reference_id":"0720e206c6ba28887e4d60ef60a6a089f6c1cc76","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-07T14:37:34Z/"}],"url":"https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2376768","reference_id":"2376768","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2376768"},{"reference_url":"https://huntr.com/bounties/3c6f7822-9992-476d-8cf0-b0b1623427df","reference_id":"3c6f7822-9992-476d-8cf0-b0b1623427df","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-07T14:37:34Z/"}],"url":"https://huntr.com/bounties/3c6f7822-9992-476d-8cf0-b0b1623427df"},{"reference_url":"https://github.com/advisories/GHSA-jjph-296x-mrcr","reference_id":"GHSA-jjph-296x-mrcr","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-jjph-296x-mrcr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/378283?format=json","purl":"pkg:pypi/transformers@4.51.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-35kz-esn2-1yf5"},{"vulnerability":"VCID-9766-62zk-zqcq"},{"vulnerability":"VCID-pvb2-bzaz-w3bv"},{"vulnerability":"VCID-sfgy-7173-eyby"},{"vulnerability":"VCID-v4bk-nagm-8bcs"},{"vulnerability":"VCID-wkqx-hf5c-8kae"},{"vulnerability":"VCID-ydcb-5t2c-1fen"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.51.0"}],"aliases":["CVE-2025-3264","GHSA-jjph-296x-mrcr"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c4mh-fkqh-1qe1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/127079?format=json","vulnerability_id":"VCID-dnej-1umy-qfh4","summary":"A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_configuration_file()` function within the `transformers.configuration_utils` module. The affected version is 4.49.0, and the issue is resolved in version 4.51.0. The vulnerability arises from the use of a regular expression pattern `config\\.(.*)\\.json` that can be exploited to cause excessive CPU consumption through crafted input strings, leading to catastrophic backtracking. This can result in model serving disruption, resource exhaustion, and increased latency in applications using the library.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3263.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3263.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-3263","reference_id":"","reference_type":"","scores":[{"value":"0.00096","scoring_system":"epss","scoring_elements":"0.26731","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00096","scoring_system":"epss","scoring_elements":"0.2653","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-3263"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/commit/126abe3461762e5fc180e7e614391d1b4ab051ca","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/commit/126abe3461762e5fc180e7e614391d1b4ab051ca"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3263","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3263"},{"reference_url":"https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76","reference_id":"0720e206c6ba28887e4d60ef60a6a089f6c1cc76","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-07T14:49:04Z/"}],"url":"https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2376773","reference_id":"2376773","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2376773"},{"reference_url":"https://huntr.com/bounties/c7a69150-54f8-4e81-8094-791e7a2a0f29","reference_id":"c7a69150-54f8-4e81-8094-791e7a2a0f29","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-07T14:49:04Z/"}],"url":"https://huntr.com/bounties/c7a69150-54f8-4e81-8094-791e7a2a0f29"},{"reference_url":"https://github.com/advisories/GHSA-q2wp-rjmx-x6x9","reference_id":"GHSA-q2wp-rjmx-x6x9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-q2wp-rjmx-x6x9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/378283?format=json","purl":"pkg:pypi/transformers@4.51.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-35kz-esn2-1yf5"},{"vulnerability":"VCID-9766-62zk-zqcq"},{"vulnerability":"VCID-pvb2-bzaz-w3bv"},{"vulnerability":"VCID-sfgy-7173-eyby"},{"vulnerability":"VCID-v4bk-nagm-8bcs"},{"vulnerability":"VCID-wkqx-hf5c-8kae"},{"vulnerability":"VCID-ydcb-5t2c-1fen"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.51.0"}],"aliases":["CVE-2025-3263","GHSA-q2wp-rjmx-x6x9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dnej-1umy-qfh4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/60123?format=json","vulnerability_id":"VCID-k7sr-ay64-syg9","summary":"Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of configuration files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-24322.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11392.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11392.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-11392","reference_id":"","reference_type":"","scores":[{"value":"0.5929","scoring_system":"epss","scoring_elements":"0.98277","published_at":"2026-06-11T12:55:00Z"},{"value":"0.5929","scoring_system":"epss","scoring_elements":"0.98283","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-11392"},{"reference_url":"https://github.com/advisories/GHSA-qxrp-vhvm-j765","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://github.com/advisories/GHSA-qxrp-vhvm-j765"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/issues/34840","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/issues/34840"},{"reference_url":"https://github.com/huggingface/transformers/pull/35296","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/pull/35296"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-227.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-227.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-11392","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-11392"},{"reference_url":"https://www.zerodayinitiative.com/advisories/ZDI-24-1513","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.zerodayinitiative.com/advisories/ZDI-24-1513"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2328351","reference_id":"2328351","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2328351"},{"reference_url":"https://drive.google.com/file/d/14bnNaCRmFOQvPHUR9zQwdbjMmzKE2pZl/view?usp=drive_link","reference_id":"CVE-2024-11392","reference_type":"exploit","scores":[],"url":"https://drive.google.com/file/d/14bnNaCRmFOQvPHUR9zQwdbjMmzKE2pZl/view?usp=drive_link"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/python/remote/52227.txt","reference_id":"CVE-2024-11392","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/python/remote/52227.txt"},{"reference_url":"https://www.zerodayinitiative.com/advisories/ZDI-24-1513/","reference_id":"ZDI-24-1513","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-11-26T16:33:03Z/"}],"url":"https://www.zerodayinitiative.com/advisories/ZDI-24-1513/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86521?format=json","purl":"pkg:pypi/transformers@4.48.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-35kz-esn2-1yf5"},{"vulnerability":"VCID-9766-62zk-zqcq"},{"vulnerability":"VCID-c1ab-fktw-jud2"},{"vulnerability":"VCID-c4mh-fkqh-1qe1"},{"vulnerability":"VCID-dnej-1umy-qfh4"},{"vulnerability":"VCID-pvb2-bzaz-w3bv"},{"vulnerability":"VCID-sfgy-7173-eyby"},{"vulnerability":"VCID-v4bk-nagm-8bcs"},{"vulnerability":"VCID-wkqx-hf5c-8kae"},{"vulnerability":"VCID-ydcb-5t2c-1fen"},{"vulnerability":"VCID-ydge-4zba-3khn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.48.0"}],"aliases":["CVE-2024-11392","GHSA-qxrp-vhvm-j765","PYSEC-2024-227"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k7sr-ay64-syg9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/59904?format=json","vulnerability_id":"VCID-mu2w-a71e-4bbd","summary":"Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25012.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11394.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11394.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-11394","reference_id":"","reference_type":"","scores":[{"value":"0.65048","scoring_system":"epss","scoring_elements":"0.985","published_at":"2026-06-11T12:55:00Z"},{"value":"0.65048","scoring_system":"epss","scoring_elements":"0.98505","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-11394"},{"reference_url":"https://github.com/advisories/GHSA-hxxf-235m-72v3","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://github.com/advisories/GHSA-hxxf-235m-72v3"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/issues/34840","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/issues/34840"},{"reference_url":"https://github.com/huggingface/transformers/pull/35296","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/pull/35296"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-229.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-229.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-11394","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-11394"},{"reference_url":"https://www.zerodayinitiative.com/advisories/ZDI-24-1515","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.zerodayinitiative.com/advisories/ZDI-24-1515"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2328333","reference_id":"2328333","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2328333"},{"reference_url":"https://www.zerodayinitiative.com/advisories/ZDI-24-1515/","reference_id":"ZDI-24-1515","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-11-26T15:15:03Z/"}],"url":"https://www.zerodayinitiative.com/advisories/ZDI-24-1515/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86521?format=json","purl":"pkg:pypi/transformers@4.48.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-35kz-esn2-1yf5"},{"vulnerability":"VCID-9766-62zk-zqcq"},{"vulnerability":"VCID-c1ab-fktw-jud2"},{"vulnerability":"VCID-c4mh-fkqh-1qe1"},{"vulnerability":"VCID-dnej-1umy-qfh4"},{"vulnerability":"VCID-pvb2-bzaz-w3bv"},{"vulnerability":"VCID-sfgy-7173-eyby"},{"vulnerability":"VCID-v4bk-nagm-8bcs"},{"vulnerability":"VCID-wkqx-hf5c-8kae"},{"vulnerability":"VCID-ydcb-5t2c-1fen"},{"vulnerability":"VCID-ydge-4zba-3khn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.48.0"}],"aliases":["CVE-2024-11394","GHSA-hxxf-235m-72v3","PYSEC-2024-229"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mu2w-a71e-4bbd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/111194?format=json","vulnerability_id":"VCID-pvb2-bzaz-w3bv","summary":"A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's `remove_language_code()` method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6638.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6638.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-6638","reference_id":"","reference_type":"","scores":[{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09922","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09874","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-6638"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/commit/d37f7517972f67e3f2194c000ed0f87f064e5099","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/commit/d37f7517972f67e3f2194c000ed0f87f064e5099"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6638","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6638"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2394799","reference_id":"2394799","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2394799"},{"reference_url":"https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be","reference_id":"47c34fba5c303576560cb29767efb452ff12b8be","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T11:52:42Z/"}],"url":"https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be"},{"reference_url":"https://huntr.com/bounties/6a6c933f-9ce8-4ded-8b3b-2c1444c61f36","reference_id":"6a6c933f-9ce8-4ded-8b3b-2c1444c61f36","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T11:52:42Z/"}],"url":"https://huntr.com/bounties/6a6c933f-9ce8-4ded-8b3b-2c1444c61f36"},{"reference_url":"https://github.com/advisories/GHSA-59p9-h35m-wg4g","reference_id":"GHSA-59p9-h35m-wg4g","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-59p9-h35m-wg4g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376569?format=json","purl":"pkg:pypi/transformers@4.53.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-wkqx-hf5c-8kae"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.53.0"}],"aliases":["CVE-2025-6638","GHSA-59p9-h35m-wg4g"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pvb2-bzaz-w3bv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/127408?format=json","vulnerability_id":"VCID-sfgy-7173-eyby","summary":"Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image_utils.py` file. The vulnerability arises from insecure URL validation using the `startswith()` method, which can be bypassed through URL username injection. This allows attackers to craft URLs that appear to be from YouTube but resolve to malicious domains, potentially leading to phishing attacks, malware distribution, or data exfiltration. The issue is fixed in version 4.52.1.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3777.json","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3777.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-3777","reference_id":"","reference_type":"","scores":[{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17627","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17787","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-3777"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/blame/a7d2bbaaa8aac64f7c1ee8c1421cfe84b38359a4/src/transformers/image_utils.py","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/blame/a7d2bbaaa8aac64f7c1ee8c1421cfe84b38359a4/src/transformers/image_utils.py"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3777","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3777"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2376775","reference_id":"2376775","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2376775"},{"reference_url":"https://github.com/huggingface/transformers/commit/4dda5f71b35fb70cf602187eef84bb17a50b9082","reference_id":"4dda5f71b35fb70cf602187eef84bb17a50b9082","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-07T12:24:47Z/"}],"url":"https://github.com/huggingface/transformers/commit/4dda5f71b35fb70cf602187eef84bb17a50b9082"},{"reference_url":"https://huntr.com/bounties/ccba0730-9248-4853-b7ff-5c20e6364f09","reference_id":"ccba0730-9248-4853-b7ff-5c20e6364f09","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-07T12:24:47Z/"}],"url":"https://huntr.com/bounties/ccba0730-9248-4853-b7ff-5c20e6364f09"},{"reference_url":"https://github.com/advisories/GHSA-phhr-52qp-3mj4","reference_id":"GHSA-phhr-52qp-3mj4","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-phhr-52qp-3mj4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/378299?format=json","purl":"pkg:pypi/transformers@4.52.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-35kz-esn2-1yf5"},{"vulnerability":"VCID-9766-62zk-zqcq"},{"vulnerability":"VCID-pvb2-bzaz-w3bv"},{"vulnerability":"VCID-v4bk-nagm-8bcs"},{"vulnerability":"VCID-wkqx-hf5c-8kae"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.52.1"}],"aliases":["CVE-2025-3777","GHSA-phhr-52qp-3mj4"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sfgy-7173-eyby"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/59898?format=json","vulnerability_id":"VCID-tzcs-6fp1-8yes","summary":"Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25191.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11393.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11393.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-11393","reference_id":"","reference_type":"","scores":[{"value":"0.79534","scoring_system":"epss","scoring_elements":"0.99108","published_at":"2026-06-11T12:55:00Z"},{"value":"0.79534","scoring_system":"epss","scoring_elements":"0.99112","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-11393"},{"reference_url":"https://github.com/advisories/GHSA-wrfc-pvp9-mr9g","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://github.com/advisories/GHSA-wrfc-pvp9-mr9g"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/issues/34840","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/issues/34840"},{"reference_url":"https://github.com/huggingface/transformers/pull/35296","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/pull/35296"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-228.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-228.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-11393","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-11393"},{"reference_url":"https://www.zerodayinitiative.com/advisories/ZDI-24-1514","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.zerodayinitiative.com/advisories/ZDI-24-1514"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2328394","reference_id":"2328394","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2328394"},{"reference_url":"https://www.zerodayinitiative.com/advisories/ZDI-24-1514/","reference_id":"ZDI-24-1514","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-11-26T15:15:05Z/"}],"url":"https://www.zerodayinitiative.com/advisories/ZDI-24-1514/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86521?format=json","purl":"pkg:pypi/transformers@4.48.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-35kz-esn2-1yf5"},{"vulnerability":"VCID-9766-62zk-zqcq"},{"vulnerability":"VCID-c1ab-fktw-jud2"},{"vulnerability":"VCID-c4mh-fkqh-1qe1"},{"vulnerability":"VCID-dnej-1umy-qfh4"},{"vulnerability":"VCID-pvb2-bzaz-w3bv"},{"vulnerability":"VCID-sfgy-7173-eyby"},{"vulnerability":"VCID-v4bk-nagm-8bcs"},{"vulnerability":"VCID-wkqx-hf5c-8kae"},{"vulnerability":"VCID-ydcb-5t2c-1fen"},{"vulnerability":"VCID-ydge-4zba-3khn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.48.0"}],"aliases":["CVE-2024-11393","GHSA-wrfc-pvp9-mr9g","PYSEC-2024-228"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tzcs-6fp1-8yes"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/99109?format=json","vulnerability_id":"VCID-v4bk-nagm-8bcs","summary":"A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically in the `convert_tf_weight_name_to_pt_weight_name()` function. This function, responsible for converting TensorFlow weight names to PyTorch format, uses a regex pattern `/[^/]*___([^/]*)/` that can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. The vulnerability affects versions up to 4.51.3 and is fixed in version 4.53.0. This issue can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting model conversion processes between TensorFlow and PyTorch formats.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-5197.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-5197.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-5197","reference_id":"","reference_type":"","scores":[{"value":"0.00096","scoring_system":"epss","scoring_elements":"0.26731","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00096","scoring_system":"epss","scoring_elements":"0.2653","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-5197"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/commit/701caef704e356dc2f9331cc3fd5df0eccb4720a","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/commit/701caef704e356dc2f9331cc3fd5df0eccb4720a"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-5197","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-5197"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2386842","reference_id":"2386842","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2386842"},{"reference_url":"https://huntr.com/bounties/3f8b3fd0-166b-46e7-b60f-60dd9d2678bf","reference_id":"3f8b3fd0-166b-46e7-b60f-60dd9d2678bf","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-06T13:02:53Z/"}],"url":"https://huntr.com/bounties/3f8b3fd0-166b-46e7-b60f-60dd9d2678bf"},{"reference_url":"https://github.com/huggingface/transformers/commit/944b56000be5e9b61af8301aa340838770ad8a0b","reference_id":"944b56000be5e9b61af8301aa340838770ad8a0b","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-06T13:02:53Z/"}],"url":"https://github.com/huggingface/transformers/commit/944b56000be5e9b61af8301aa340838770ad8a0b"},{"reference_url":"https://github.com/advisories/GHSA-9356-575x-2w9m","reference_id":"GHSA-9356-575x-2w9m","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-9356-575x-2w9m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376569?format=json","purl":"pkg:pypi/transformers@4.53.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-wkqx-hf5c-8kae"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.53.0"}],"aliases":["CVE-2025-5197","GHSA-9356-575x-2w9m"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v4bk-nagm-8bcs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/218372?format=json","vulnerability_id":"VCID-v72p-1gy4-syck","summary":"Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-6730","reference_id":"","reference_type":"","scores":[{"value":"0.00161","scoring_system":"epss","scoring_elements":"0.37","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00161","scoring_system":"epss","scoring_elements":"0.36823","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-6730"},{"reference_url":"https://github.com/advisories/GHSA-3863-2447-669p","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3863-2447-669p"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-300.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-300.yaml"},{"reference_url":"https://huntr.com/bounties/423611ee-7a2a-442a-babb-3ed2f8385c16","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.com/bounties/423611ee-7a2a-442a-babb-3ed2f8385c16"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6730","reference_id":"","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6730"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81302?format=json","purl":"pkg:pypi/transformers@4.36.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-35kz-esn2-1yf5"},{"vulnerability":"VCID-9766-62zk-zqcq"},{"vulnerability":"VCID-bp68-v13h-qufq"},{"vulnerability":"VCID-c1ab-fktw-jud2"},{"vulnerability":"VCID-c4mh-fkqh-1qe1"},{"vulnerability":"VCID-dnej-1umy-qfh4"},{"vulnerability":"VCID-k7sr-ay64-syg9"},{"vulnerability":"VCID-mu2w-a71e-4bbd"},{"vulnerability":"VCID-pvb2-bzaz-w3bv"},{"vulnerability":"VCID-sfgy-7173-eyby"},{"vulnerability":"VCID-tzcs-6fp1-8yes"},{"vulnerability":"VCID-v4bk-nagm-8bcs"},{"vulnerability":"VCID-wkqx-hf5c-8kae"},{"vulnerability":"VCID-wqd9-k9zz-1ycz"},{"vulnerability":"VCID-ydcb-5t2c-1fen"},{"vulnerability":"VCID-ydge-4zba-3khn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.36.0"}],"aliases":["CVE-2023-6730","GHSA-3863-2447-669p","PYSEC-2023-300"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v72p-1gy4-syck"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78354?format=json","vulnerability_id":"VCID-wkqx-hf5c-8kae","summary":"A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.load()` without the `weights_only=True` parameter. This issue affects all versions of the library supporting `torch>=2.2` when used with PyTorch versions below 2.6, as the `safe_globals()` context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as `rng_state.pth`, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1839.json","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1839.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1839","reference_id":"","reference_type":"","scores":[{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06727","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06747","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1839"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/releases/tag/v5.0.0rc3","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/releases/tag/v5.0.0rc3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1839","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1839"},{"reference_url":"https://github.com/huggingface/transformers/commit/03c8082ba4594c9b8d6fe190ca9bed0e5f8ca396","reference_id":"03c8082ba4594c9b8d6fe190ca9bed0e5f8ca396","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-07T13:27:38Z/"}],"url":"https://github.com/huggingface/transformers/commit/03c8082ba4594c9b8d6fe190ca9bed0e5f8ca396"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455854","reference_id":"2455854","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455854"},{"reference_url":"https://huntr.com/bounties/3c77bb97-e493-493d-9a88-c57f5c536485","reference_id":"3c77bb97-e493-493d-9a88-c57f5c536485","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-07T13:27:38Z/"}],"url":"https://huntr.com/bounties/3c77bb97-e493-493d-9a88-c57f5c536485"},{"reference_url":"https://github.com/advisories/GHSA-69w3-r845-3855","reference_id":"GHSA-69w3-r845-3855","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-69w3-r845-3855"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374227?format=json","purl":"pkg:pypi/transformers@5.0.0rc3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@5.0.0rc3"}],"aliases":["CVE-2026-1839","GHSA-69w3-r845-3855"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wkqx-hf5c-8kae"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36509?format=json","vulnerability_id":"VCID-wqd9-k9zz-1ycz","summary":"A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_nougat_fast.py. The vulnerability occurs in the post_process_single() function, where a regular expression processes specially crafted input. The issue stems from the regex exhibiting exponential time complexity under certain conditions, leading to excessive backtracking. This can result in significantly high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.46.3 (latest).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-12720","reference_id":"","reference_type":"","scores":[{"value":"0.00228","scoring_system":"epss","scoring_elements":"0.45853","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00228","scoring_system":"epss","scoring_elements":"0.45706","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-12720"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-12720","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-12720"},{"reference_url":"https://huntr.com/bounties/4bed1214-7835-4252-a853-22bbad891f98","reference_id":"4bed1214-7835-4252-a853-22bbad891f98","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T13:25:17Z/"}],"url":"https://huntr.com/bounties/4bed1214-7835-4252-a853-22bbad891f98"},{"reference_url":"https://github.com/huggingface/transformers/commit/deac971c469bcbb182c2e52da0b82fb3bf54cccf","reference_id":"deac971c469bcbb182c2e52da0b82fb3bf54cccf","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T13:25:17Z/"}],"url":"https://github.com/huggingface/transformers/commit/deac971c469bcbb182c2e52da0b82fb3bf54cccf"},{"reference_url":"https://github.com/advisories/GHSA-6rvg-6v2m-4j46","reference_id":"GHSA-6rvg-6v2m-4j46","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-6rvg-6v2m-4j46"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86521?format=json","purl":"pkg:pypi/transformers@4.48.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-35kz-esn2-1yf5"},{"vulnerability":"VCID-9766-62zk-zqcq"},{"vulnerability":"VCID-c1ab-fktw-jud2"},{"vulnerability":"VCID-c4mh-fkqh-1qe1"},{"vulnerability":"VCID-dnej-1umy-qfh4"},{"vulnerability":"VCID-pvb2-bzaz-w3bv"},{"vulnerability":"VCID-sfgy-7173-eyby"},{"vulnerability":"VCID-v4bk-nagm-8bcs"},{"vulnerability":"VCID-wkqx-hf5c-8kae"},{"vulnerability":"VCID-ydcb-5t2c-1fen"},{"vulnerability":"VCID-ydge-4zba-3khn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.48.0"}],"aliases":["CVE-2024-12720","GHSA-6rvg-6v2m-4j46"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wqd9-k9zz-1ycz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/218373?format=json","vulnerability_id":"VCID-x9b5-phfp-67ac","summary":"Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-7018","reference_id":"","reference_type":"","scores":[{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42352","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42515","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-7018"},{"reference_url":"https://github.com/advisories/GHSA-v68g-wm8c-6x7j","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v68g-wm8c-6x7j"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-301.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-301.yaml"},{"reference_url":"https://huntr.com/bounties/e1a3e548-e53a-48df-b708-9ee62140963c","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.com/bounties/e1a3e548-e53a-48df-b708-9ee62140963c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-7018","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-7018"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81302?format=json","purl":"pkg:pypi/transformers@4.36.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-35kz-esn2-1yf5"},{"vulnerability":"VCID-9766-62zk-zqcq"},{"vulnerability":"VCID-bp68-v13h-qufq"},{"vulnerability":"VCID-c1ab-fktw-jud2"},{"vulnerability":"VCID-c4mh-fkqh-1qe1"},{"vulnerability":"VCID-dnej-1umy-qfh4"},{"vulnerability":"VCID-k7sr-ay64-syg9"},{"vulnerability":"VCID-mu2w-a71e-4bbd"},{"vulnerability":"VCID-pvb2-bzaz-w3bv"},{"vulnerability":"VCID-sfgy-7173-eyby"},{"vulnerability":"VCID-tzcs-6fp1-8yes"},{"vulnerability":"VCID-v4bk-nagm-8bcs"},{"vulnerability":"VCID-wkqx-hf5c-8kae"},{"vulnerability":"VCID-wqd9-k9zz-1ycz"},{"vulnerability":"VCID-ydcb-5t2c-1fen"},{"vulnerability":"VCID-ydge-4zba-3khn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.36.0"}],"aliases":["CVE-2023-7018","GHSA-v68g-wm8c-6x7j","PYSEC-2023-301"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x9b5-phfp-67ac"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/127690?format=json","vulnerability_id":"VCID-ydcb-5t2c-1fen","summary":"A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's `token2json()` method. This vulnerability affects versions 4.50.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern `<s_(.*?)>` which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3933.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3933.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-3933","reference_id":"","reference_type":"","scores":[{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25441","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25244","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-3933"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/pull/37788","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/pull/37788"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3933","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3933"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2379517","reference_id":"2379517","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2379517"},{"reference_url":"https://huntr.com/bounties/25282953-5827-4384-bb6f-5790d275721b","reference_id":"25282953-5827-4384-bb6f-5790d275721b","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-11T14:34:20Z/"}],"url":"https://huntr.com/bounties/25282953-5827-4384-bb6f-5790d275721b"},{"reference_url":"https://github.com/huggingface/transformers/commit/ebbe9b12dd75b69f92100d684c47f923ee262a93","reference_id":"ebbe9b12dd75b69f92100d684c47f923ee262a93","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-11T14:34:20Z/"}],"url":"https://github.com/huggingface/transformers/commit/ebbe9b12dd75b69f92100d684c47f923ee262a93"},{"reference_url":"https://github.com/advisories/GHSA-37mw-44qp-f5jm","reference_id":"GHSA-37mw-44qp-f5jm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-37mw-44qp-f5jm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/378299?format=json","purl":"pkg:pypi/transformers@4.52.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-35kz-esn2-1yf5"},{"vulnerability":"VCID-9766-62zk-zqcq"},{"vulnerability":"VCID-pvb2-bzaz-w3bv"},{"vulnerability":"VCID-v4bk-nagm-8bcs"},{"vulnerability":"VCID-wkqx-hf5c-8kae"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.52.1"}],"aliases":["CVE-2025-3933","GHSA-37mw-44qp-f5jm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ydcb-5t2c-1fen"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/126250?format=json","vulnerability_id":"VCID-ydge-4zba-3khn","summary":"A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-2099.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-2099.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-2099","reference_id":"","reference_type":"","scores":[{"value":"0.00092","scoring_system":"epss","scoring_elements":"0.26011","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00092","scoring_system":"epss","scoring_elements":"0.25811","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-2099"},{"reference_url":"https://github.com/advisories/GHSA-qq3j-4f4f-9583","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://github.com/advisories/GHSA-qq3j-4f4f-9583"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/pull/36648","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/pull/36648"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2025-40.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2025-40.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-2099","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-2099"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2367239","reference_id":"2367239","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2367239"},{"reference_url":"https://github.com/huggingface/transformers/commit/8cb522b4190bd556ce51be04942720650b1a3e57","reference_id":"8cb522b4190bd556ce51be04942720650b1a3e57","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-19T13:38:03Z/"}],"url":"https://github.com/huggingface/transformers/commit/8cb522b4190bd556ce51be04942720650b1a3e57"},{"reference_url":"https://huntr.com/bounties/97b780f3-ffca-424f-ad5d-0e1c57a5bde4","reference_id":"97b780f3-ffca-424f-ad5d-0e1c57a5bde4","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-19T13:38:03Z/"}],"url":"https://huntr.com/bounties/97b780f3-ffca-424f-ad5d-0e1c57a5bde4"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:12791","reference_id":"RHSA-2025:12791","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:12791"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/87673?format=json","purl":"pkg:pypi/transformers@4.49.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-35kz-esn2-1yf5"},{"vulnerability":"VCID-9766-62zk-zqcq"},{"vulnerability":"VCID-c1ab-fktw-jud2"},{"vulnerability":"VCID-c4mh-fkqh-1qe1"},{"vulnerability":"VCID-dnej-1umy-qfh4"},{"vulnerability":"VCID-fja1-xm9v-uufp"},{"vulnerability":"VCID-pvb2-bzaz-w3bv"},{"vulnerability":"VCID-sfgy-7173-eyby"},{"vulnerability":"VCID-v4bk-nagm-8bcs"},{"vulnerability":"VCID-wkqx-hf5c-8kae"},{"vulnerability":"VCID-ydcb-5t2c-1fen"},{"vulnerability":"VCID-ydge-4zba-3khn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.49.0"},{"url":"http://public2.vulnerablecode.io/api/packages/376298?format=json","purl":"pkg:pypi/transformers@4.50.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-35kz-esn2-1yf5"},{"vulnerability":"VCID-9766-62zk-zqcq"},{"vulnerability":"VCID-c4mh-fkqh-1qe1"},{"vulnerability":"VCID-dnej-1umy-qfh4"},{"vulnerability":"VCID-fja1-xm9v-uufp"},{"vulnerability":"VCID-pvb2-bzaz-w3bv"},{"vulnerability":"VCID-sfgy-7173-eyby"},{"vulnerability":"VCID-v4bk-nagm-8bcs"},{"vulnerability":"VCID-wkqx-hf5c-8kae"},{"vulnerability":"VCID-ydcb-5t2c-1fen"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.50.0"}],"aliases":["CVE-2025-2099","GHSA-qq3j-4f4f-9583","PYSEC-2025-40"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ydge-4zba-3khn"}],"fixing_vulnerabilities":[],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@2.2.0"}