VDB
CVE-2025-14922
CVE-2025-14922
PUBLISHED
CVSS 7.8 HIGH
Reported by zdi · Published December 23, 2025
Hugging Face Diffusers CogView4 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Diffusers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27424.
Risk Scores
CVSS 3.0
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hugging Face | Diffusers | 22a452a526660363b57216cd011ce75345382d02 |
| Hugging Face | Diffusers | 22a452a526660363b57216cd011ce75345382d02, 22a452a526660363b57216cd011ce75345382d02 |
Exploit Intelligence
- test_suggest_impact.py (github-poc)
- test_suggest_impact.py (github-poc)
- test_suggest_impact.py (github-poc)
- test_suggest_impact.py (github-poc)
Timeline
- Dec 18, 2025 CVE Published
- Dec 24, 2025 EPSS Score
- Dec 28, 2025 EPSS Score
- Dec 31, 2025 EPSS Score
- Jan 4, 2026 EPSS Score
- Jan 8, 2026 EPSS Score
- Jan 11, 2026 EPSS Score
- Jan 15, 2026 EPSS Score
- Jan 19, 2026 EPSS Score
- Jan 23, 2026 EPSS Score
- Jan 26, 2026 EPSS Score
- Jan 30, 2026 EPSS Score
References
- ZDI-25-1142 x_research-advisory