VDB

CVE-2025-14924

CVE-2025-14924 PUBLISHED CVSS 7.8 HIGH

Reported by zdi · Published December 23, 2025

Hugging Face Transformers megatron_gpt2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27984.

Risk Scores

CVSS v3.0
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersions
Hugging FaceTransformers95faabf0a6cd845f4c5548697e288a79e424b096
Hugging FaceTransformers*, *

Timeline

  • Dec 18, 2025 CVE Published
  • Dec 24, 2025 EPSS Score
  • Dec 28, 2025 EPSS Score
  • Dec 31, 2025 EPSS Score
  • Jan 4, 2026 EPSS Score
  • Jan 8, 2026 EPSS Score
  • Jan 11, 2026 EPSS Score
  • Jan 15, 2026 EPSS Score
  • Jan 19, 2026 EPSS Score
  • Jan 22, 2026 EPSS Score
  • Jan 26, 2026 EPSS Score
  • Jan 30, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›