Improper Input Validation in Hugging Face Transformers Affects Multiple Versions
CVE-2025-3777

3.5LOW

Key Information:

Vendor: Huggingface
Status: Huggingface/transformers
Vendor: CVE Published:; 7 July 2025

🔔 Create Huggingface Vulnerability Alert

What is CVE-2025-3777?

The Hugging Face Transformers library, specifically versions up to 4.49.0, contains an improper input validation vulnerability originating from the image_utils.py file. The flaw is caused by insecure URL validation leveraging the startswith() method, which can be circumvented via URL username injection. This loophole permits attackers to generate deceptive URLs mimicking those from YouTube that ultimately redirect users to malicious sites. Such vulnerabilities can lead to severe security risks, including phishing attacks, malware distribution, and potential data exfiltration. The issue has been resolved in version 4.52.1.

Affected Version(s)

huggingface/transformers < 4.52.1

References

https://huntr.com/bounties/ccba0730-9248-4853-b7ff-5c20e6...

https://github.com/huggingface/transformers/commit/4dda5f...

CVSS V3.0

Score:

3.5

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 7, 2025
Vulnerability Reserved
Apr 17, 2025