Deserialization of Untrusted Data in huggingface/transformers
CVE-2023-6730

9CRITICAL

Key Information:

Vendor: huggingface
Status: huggingface/transformers
Vendor: CVE Published:; 19 December 2023

🔔 Create huggingface Vulnerability Alert

What is CVE-2023-6730?

A vulnerability exists in the Hugging Face Transformers library that allows for deserialization of untrusted data. This can potentially allow an attacker to execute arbitrary code or manipulate application behavior when maliciously crafted data is processed. Developers using versions prior to 4.36 should review their implementation to safeguard against this risk, ensuring improved data validation methodologies.

Affected Version(s)

huggingface/transformers < 4.36

References

https://huntr.com/bounties/423611ee-7a2a-442a-babb-3ed2f8...

https://github.com/huggingface/transformers/commit/1d63b0...

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 19, 2023
Vulnerability Reserved
Dec 12, 2023

CVE-2023-6730 Data

JSON