Improper Input Validation in Hugging Face Transformers Affects Multiple Versions
CVE-2025-3777

3.5LOW

Key Information:

Vendor

Huggingface

Status
Huggingface/transformers
Vendor
CVE Published:
7 July 2025

Badges

📰 News Worthy

What is CVE-2025-3777?

The Hugging Face Transformers library, specifically versions up to 4.49.0, contains an improper input validation vulnerability originating from the image_utils.py file. The flaw is caused by insecure URL validation leveraging the startswith() method, which can be circumvented via URL username injection. This loophole permits attackers to generate deceptive URLs mimicking those from YouTube that ultimately redirect users to malicious sites. Such vulnerabilities can lead to severe security risks, including phishing attacks, malware distribution, and potential data exfiltration. The issue has been resolved in version 4.52.1.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

huggingface/transformers < 4.52.1

News Articles

favicon imageYanac.hu

CVE-2025-3777 | huggingface transformers up to 4.52.0 URL Validation image_utils.py startswith information disclosure

A vulnerability was found in huggingface transformers up to 4.52.0. It has been declared as problematic. Affected by this vulnerability is the function startswith of the file image_utils.py of the…

References

https://huntr.com/bounties/ccba0730-9248-4853-b7ff-5c20e6...
https://github.com/huggingface/transformers/commit/4dda5f...

CVSS V3.0

Score:
3.5
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 📰

    First article discovered by Yanac.hu

  • Vulnerability published

  • Vulnerability Reserved

JSON
.