Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-14926

CVE-2025-14926: Huggingface Transformers RCE Vulnerability

CVE-2025-14926 is a code injection RCE flaw in Huggingface Transformers affecting the convert_config function. Attackers can execute arbitrary code when users convert malicious checkpoints. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-14926 Overview

CVE-2025-14926 is a code injection vulnerability in Hugging Face Transformers affecting the SEW model's convert_config function. The flaw allows attackers to execute arbitrary Python code when a user converts a malicious checkpoint. The vulnerability stems from improper validation of a user-supplied string before passing it to Python code execution. The Zero Day Initiative tracked this issue as ZDI-CAN-28251 and published advisory ZDI-25-1147. The vulnerability is classified under [CWE-94] (Improper Control of Generation of Code).

Critical Impact

Attackers can achieve arbitrary code execution in the context of the user converting a malicious SEW checkpoint, leading to full compromise of the local environment, including ML training pipelines and credentials.

Affected Products

  • Hugging Face Transformers 4.57.0
  • SEW model conversion utilities within the transformers library
  • Python environments processing untrusted model checkpoints

Discovery Timeline

  • 2025-12-23 - CVE-2025-14926 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-14926

Vulnerability Analysis

The vulnerability resides in the convert_config function used during SEW (Squeezed and Efficient Wav2Vec) checkpoint conversion in Hugging Face Transformers. The function accepts a string value from a checkpoint configuration and passes it to a Python code execution routine without sanitization. When a user converts a checkpoint sourced from an untrusted location, the embedded payload executes within the Python interpreter. The result is arbitrary code execution with the privileges of the user running the conversion process.

Machine learning workflows frequently load community-published checkpoints, expanding the practical attack surface. A poisoned checkpoint distributed through a model hub, repository, or shared storage triggers the vulnerability the moment a victim runs the conversion utility. Compromised hosts often contain API tokens, cloud credentials, and proprietary model weights, making this a high-value target.

Root Cause

The root cause is unsafe handling of attacker-controlled input by a function that uses Python's dynamic evaluation capabilities. The convert_config routine treats fields inside a checkpoint as trusted strings and passes them to code execution primitives without parsing, allowlisting, or input validation. This pattern matches the [CWE-94] classification for improper control of code generation.

Attack Vector

Exploitation requires local access and user interaction. The attacker crafts a malicious SEW checkpoint containing a payload in the configuration field consumed by convert_config. The attacker then distributes the checkpoint through a model repository, email attachment, or any channel the victim trusts. When the victim runs the SEW conversion script against the checkpoint, the embedded payload runs as Python code under the victim's account.

No verified public proof-of-concept exists at the time of writing. Technical details are documented in the Zero Day Initiative Advisory ZDI-25-1147.

Detection Methods for CVE-2025-14926

Indicators of Compromise

  • Unexpected child processes spawned by Python interpreters running transformers conversion scripts, particularly shells, network utilities, or credential access tools.
  • SEW checkpoint files originating from unverified sources or repositories without provenance metadata.
  • Outbound network connections initiated during or immediately after checkpoint conversion activity.

Detection Strategies

  • Monitor process trees for python processes invoking transformers SEW conversion utilities that subsequently spawn unrelated executables.
  • Inspect checkpoint configuration fields for embedded code constructs such as eval, exec, __import__, os.system, or subprocess references before conversion.
  • Apply file integrity monitoring to ML model directories and alert on the introduction of untrusted checkpoint files.

Monitoring Recommendations

  • Log all invocations of transformers conversion scripts on developer and training hosts and forward to a centralized log store for review.
  • Correlate checkpoint download activity with subsequent process execution to identify suspicious conversion-to-execution sequences.
  • Alert on Python interpreters writing to sensitive locations such as ~/.ssh, ~/.aws, or shell startup files following model loading operations.

How to Mitigate CVE-2025-14926

Immediate Actions Required

  • Identify all hosts running Hugging Face Transformers 4.57.0 and avoid running SEW checkpoint conversions against untrusted artifacts until a fixed release is applied.
  • Restrict checkpoint sources to internally vetted repositories with cryptographic signature verification.
  • Run conversion utilities inside isolated, network-restricted containers or sandboxes that lack access to production credentials.

Patch Information

Review the Zero Day Initiative Advisory ZDI-25-1147 and the Hugging Face Transformers project release notes for a fixed version. Upgrade transformers to the patched release once published and rebuild ML pipeline container images to embed the fixed version.

Workarounds

  • Do not load or convert SEW checkpoints from untrusted publishers or community model hubs without prior inspection.
  • Statically inspect checkpoint configuration content for code execution primitives before invoking convert_config.
  • Execute checkpoint conversions under a dedicated, low-privilege service account with no access to secrets, source code repositories, or production data.
bash
# Example: run checkpoint conversion in an isolated, network-disabled container
docker run --rm \
  --network=none \
  --read-only \
  --user 65534:65534 \
  -v "$(pwd)/untrusted_ckpt:/data:ro" \
  transformers-sandbox:patched \
  python -m transformers.models.sew.convert_sew_original_pytorch_checkpoint_to_pytorch \
    --checkpoint_path /data/model.pt

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.