CNNVD-202510-3063 Information
CNNVD ID
CNNVD-202510-3063
Related CVE
- CNNVD Published: 2025-10-22
Description (Chinese)
Hugging Face Transformers是Hugging Face开源的为 Jax、PyTorch 和 TensorFlow 打造的先进的自然语言处理。 Hugging Face Transformers 1.20.0版本存在安全漏洞,该漏洞源于search_item_ctrl_f函数直接拼接用户输入到XPath表达式,可能导致XPath注入攻击。
Description (English)
The Hugging Face Transformers is an advanced, natural language-processing process for Jax, PyTorch and TensorFlow, an open-source Hugging Face. There is a security loophole in version 1.2.0.0 of Hugging Face Transports, which originates from the direct integration of the user into XPath expression in the search item ctrl f function, which may result in an XPath injection attack.
Hazard Level
High
Vulnerability Type
其他
Affected Vendor
Hugging Face
Published
2025-10-22
Last Modified
2026-02-24
References
https://github.com/huggingface/smolagents/commit/f570ed5e17999d4cf7d5e79c2830fbaefab8a794 https://huntr.com/bounties/01ab4405-9bca-4b26-b7a3-5ca1863a69b4 https://access.redhat.com/security/cve/cve-2025-11844
Patch
https://github.com/huggingface/smolagents/releases
Share on: