Remote Code Execution Risk in Hugging Face Transformers
CVE-2025-14929

7.8HIGH

Key Information:

Vendor: Hugging Face
Status: Transformers
Vendor: CVE Published:; 23 December 2025

🔔 Create Hugging Face Vulnerability Alert

What is CVE-2025-14929?

The vulnerability in Hugging Face Transformers involves the remote execution of arbitrary code due to improper validation of user-supplied data during checkpoint parsing. Attackers can exploit this flaw by enticing users to visit malicious webpages or open compromised files, leading to the deserialization of untrusted data. This allows code to run with the privileges of the current process, potentially compromising the integrity of the affected installation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Transformers d1c6310d6a02481d48d81607cba7840be04580d1

References

https://www.zerodayinitiative.com/advisories/ZDI-25-1144/

x_research-advisory

CVSS V3.0

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Dec 23, 2025
Vulnerability Reserved
Dec 18, 2025

JSON

Hugging Face

What is CVE-2025-14929?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.0

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.