CNNVD-202512-4101 Information
CNNVD ID
CNNVD-202512-4101
Related CVE
- CNNVD Published: 2025-12-23
Description (Chinese)
Hugging Face Transformers是Hugging Face开源的一个用于定义最先进机器学习模型的框架,涵盖文本、视觉、音频和多模态模型,可用于推理和训练。 Hugging Face Transformers存在代码注入漏洞,该漏洞源于SEW-D中convert_config函数在使用用户提供的字符串执行Python代码前缺乏验证,可能导致代码注入和远程代码执行。
Description (English)
Hugging Face Transformers is a framework for defining the state-of-the-art machine learning model that covers text, visual, audio and multi-modular models that can be used for reasoning and training. There is a code-injecting loophole in Hugging Face Transformers, which stems from the lack of authentication in the SEW-D convert config function before the Python code is executed using a string provided by the user, which may lead to code-injection and remote code execution.
Hazard Level
Medium
Vulnerability Type
代码注入
Affected Vendor
Hugging Face
Published
2025-12-23
Last Modified
2026-02-24
References
https://www.zerodayinitiative.com/advisories/ZDI-25-1148/
Share on: