CVE-2025-14926
Code Injection vulnerability in transformers (PyPI)

Code Injection No known exploit

What is CVE-2025-14926 About?

Hugging Face Transformers SEW `convert_config` is vulnerable to remote code execution via code injection. This flaw allows remote attackers to execute arbitrary code by supplying a malicious checkpoint. User interaction is required for exploitation as the target must convert the malicious checkpoint, making exploitation moderately complex.

Affected Software

N/A

Technical Details

The vulnerability is a Code Injection flaw found within the convert_config function of Hugging Face Transformers SEW. The root cause is the lack of proper validation of a user-supplied string before it is used to execute Python code. An attacker can craft a malicious checkpoint file containing injected code within this string. When a target user attempts to convert this malicious checkpoint, the convert_config function will execute the attacker's supplied code in the context of the current user. This mechanism allows arbitrary Python code execution, leading to full compromise of the user's environment. The vulnerability ID ZDI-CAN-28251 was previously assigned to this issue.

What is the Impact of CVE-2025-14926?

Successful exploitation may allow attackers to execute arbitrary code on affected installations, leading to complete compromise of the system or data theft.

What is the Exploitability of CVE-2025-14926?

Exploitation of this vulnerability requires user interaction: the target must explicitly convert a malicious checkpoint. This implies that social engineering or other client-side attack techniques would be necessary to deliver the malicious checkpoint and convince the user to perform the conversion. No specific authentication or privilege requirements are detailed beyond the user performing the checkpoint conversion. The attack is remote, as the checkpoint can be delivered from a remote source. The complexity is moderate due to the user interaction requirement and the need to craft a functional malicious checkpoint. The primary risk factor is the user's susceptibility to opening and converting untrusted files.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2025-14926?

Available Upgrade Options

  • No fixes available

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2025-14926?

Similar Vulnerabilities: CVE-2023-28155 , CVE-2023-28154 , CVE-2022-24754 , CVE-2021-27291 , CVE-2020-8012

All Rights reserved 2025
Privacy Policy