Deserialization of Untrusted Data in huggingface/transformers
CVE-2023-7018

9.6CRITICAL

Key Information:

Vendor: huggingface
Status: huggingface/transformers
Vendor: CVE Published:; 20 December 2023

🔔 Create huggingface Vulnerability Alert

What is CVE-2023-7018?

A security issue exists in the Hugging Face Transformers library where untrusted data can be deserialized, potentially leading to adverse impacts on application security. This vulnerability could be exploited to manipulate data and execute unauthorized actions, emphasizing the importance of using updated versions to mitigate risks.

Affected Version(s)

huggingface/transformers < 4.36

References

https://huntr.com/bounties/e1a3e548-e53a-48df-b708-9ee621...

https://github.com/huggingface/transformers/commit/1d63b0...

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 20, 2023
Vulnerability Reserved
Dec 20, 2023

CVE-2023-7018 Data

JSON