CVE-2025-14921
Hugging Face Transformers Transformer-XL Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25424.
EPSS 0.48% · 65.3th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| huggingface | transformers | 4.54.1, 4.54.1 |
| Hugging Face | Transformers | 9c8bd3fc1befe54f3efb9f385561eef49f060a70, * |
Exploit Intelligence
- CIRCL seen: CVE-2025-14921 (circl-sighting)
- CIRCL seen: CVE-2025-14921 (circl-sighting)
- ZDI-25-1149 (circl)
- Weaponized CVE-2025-14921 in Nuclei (community-snort)
Timeline
- Dec 18, 2025 PoC Published
- Dec 18, 2025 CVE Published
- Dec 23, 2025 PoC Published
- Dec 24, 2025 EPSS Score
- Dec 28, 2025 EPSS Score
- Dec 31, 2025 EPSS Score
- Jan 4, 2026 EPSS Score
- Jan 8, 2026 EPSS Score
- Jan 11, 2026 EPSS Score
- Jan 15, 2026 EPSS Score
- Jan 19, 2026 EPSS Score
- Jan 19, 2026 Nuclei Template