VDB

CVE-2025-14927

CVE-2025-14927 PUBLISHED CVSS 7.8 HIGH

Reported by zdi · Published December 23, 2025

Hugging Face Transformers SEW-D convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint. The specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the current user. . Was ZDI-CAN-28252.

Risk Scores

CVSS 3.0
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersions
Hugging FaceTransformers4.57.0
Hugging FaceTransformers4.57.0, 4.57.0

Timeline

  • Dec 18, 2025 CVE Published
  • Dec 24, 2025 EPSS Score
  • Dec 28, 2025 EPSS Score
  • Dec 31, 2025 EPSS Score
  • Jan 4, 2026 EPSS Score
  • Jan 8, 2026 EPSS Score
  • Jan 11, 2026 EPSS Score
  • Jan 15, 2026 EPSS Score
  • Jan 19, 2026 EPSS Score
  • Jan 23, 2026 EPSS Score
  • Jan 26, 2026 EPSS Score
  • Jan 30, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›