Remote Code Execution Risk in Hugging Face Transformers
CVE-2025-14929

7.8HIGH

Key Information:

Vendor: Hugging Face
Status: Transformers
Vendor: CVE Published:; 23 December 2025

🔔 Create Hugging Face Vulnerability Alert

What is CVE-2025-14929?

The vulnerability in Hugging Face Transformers involves the remote execution of arbitrary code due to improper validation of user-supplied data during checkpoint parsing. Attackers can exploit this flaw by enticing users to visit malicious webpages or open compromised files, leading to the deserialization of untrusted data. This allows code to run with the privileges of the current process, potentially compromising the integrity of the affected installation.

Affected Version(s)

Transformers d1c6310d6a02481d48d81607cba7840be04580d1

References

https://www.zerodayinitiative.com/advisories/ZDI-25-1144/

x_research-advisory

CVSS V3.0

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 23, 2025
Vulnerability Reserved
Dec 18, 2025

CVE-2025-14929 Data

JSON