CVE-2025-14924 Overview
CVE-2025-14924 is a deserialization of untrusted data vulnerability [CWE-502] in Hugging Face Transformers. The flaw exists within the parsing of megatron_gpt2 checkpoints. Attackers can leverage this issue to execute arbitrary code in the context of the current process. Exploitation requires user interaction: the target must open a malicious file or visit a malicious page that delivers a crafted checkpoint.
The vulnerability was disclosed through Trend Micro's Zero Day Initiative as ZDI-CAN-27984 and published as advisory ZDI-25-1141. Hugging Face Transformers version 4.55.0 is identified in the affected product configuration.
Critical Impact
A crafted Megatron GPT-2 checkpoint loaded by a developer or data scientist can execute arbitrary code on the local machine, compromising machine learning workstations and CI/CD pipelines.
Affected Products
- Hugging Face Transformers 4.55.0
- Python environments importing transformers for Megatron GPT-2 checkpoint conversion
- Machine learning pipelines that ingest third-party model checkpoints
Discovery Timeline
- 2025-12-23 - CVE-2025-14924 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-14924
Vulnerability Analysis
The vulnerability resides in the Megatron GPT-2 checkpoint parsing logic within the Hugging Face Transformers library. The code path that loads megatron_gpt2 checkpoints deserializes attacker-controlled data without validating its contents. Python's standard serialization formats reconstruct arbitrary objects during loading, which gives an attacker a primitive for code execution.
A successful attack runs code with the privileges of the user invoking the conversion or loading routine. In typical workflows that user holds full access to source code, model artifacts, cached credentials, and cloud tokens. The attack vector is local and requires user interaction, but the impact covers confidentiality, integrity, and availability of the host.
Root Cause
The root cause is improper validation of serialized checkpoint data before reconstruction [CWE-502]. The Megatron GPT-2 loader trusts the structure of the supplied file and reconstructs Python objects from it. When the serialized stream contains gadgets such as reducer callables, the deserializer invokes them, executing attacker-chosen functions during checkpoint load.
Attack Vector
An attacker prepares a malicious megatron_gpt2 checkpoint and publishes it on a model hub, file-sharing service, or phishing landing page. A developer downloads the file and loads it through the Transformers conversion or loading utility. Deserialization triggers attacker code in the Python interpreter without additional prompts. The exploit succeeds entirely on the local host once the file is opened.
No verified proof-of-concept code is published. Technical context is available in the Zero Day Initiative Advisory ZDI-25-1141.
Detection Methods for CVE-2025-14924
Indicators of Compromise
- Unexpected child processes spawned by python interpreters loading transformers modules, particularly shells, curl, wget, or powershell.
- Outbound network connections initiated immediately after a checkpoint file is opened in a Jupyter notebook or ML training script.
- Modified or newly created files in user home directories or virtual environment site-packages following a checkpoint load.
- Megatron GPT-2 checkpoint files sourced from untrusted hubs, mirrors, or email attachments.
Detection Strategies
- Hunt for Python processes that load transformers.models.megatron_gpt2 and then execute non-Python binaries within the same process tree.
- Inspect endpoint telemetry for pickle.load, torch.load, or custom unpickler invocations against files outside curated model registries.
- Correlate file-write events on .bin, .pt, or .ckpt artifacts with subsequent code execution or persistence activity.
Monitoring Recommendations
- Log all checkpoint downloads from external sources and record the SHA-256 of each file consumed by training and inference jobs.
- Apply application allowlisting on ML workstations so the Python interpreter cannot launch arbitrary child binaries.
- Forward EDR telemetry from data science endpoints to a central analytics platform and alert on anomalous interpreter child processes.
How to Mitigate CVE-2025-14924
Immediate Actions Required
- Upgrade Hugging Face Transformers to the latest fixed release as published by the maintainers and tracked in the ZDI-25-1141 advisory.
- Block the use of megatron_gpt2 checkpoints originating from sources outside an internal, signed model registry.
- Audit recent model downloads on shared workstations and CI runners for unknown checkpoint files.
Patch Information
Hugging Face Transformers version 4.55.0 is listed as affected. Consult the Zero Day Initiative Advisory ZDI-25-1141 and the Transformers project release notes for the patched version and apply the upgrade across all developer workstations, training nodes, and inference services.
Workarounds
- Avoid loading megatron_gpt2 checkpoints from untrusted sources until the upgrade is deployed.
- Run model conversion and loading inside ephemeral containers or sandboxes with no network egress and no persistent credentials.
- Use safetensors-format weights where available, since the format does not execute code during deserialization.
- Enforce code review on any script that calls Megatron GPT-2 conversion utilities, and pin Transformers to a patched version in requirements.txt or pyproject.toml.
# Pin Transformers to a patched version once available
pip install --upgrade "transformers>4.55.0"
# Verify installed version
python -c "import transformers; print(transformers.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

