CVE-2025-14928 Overview
CVE-2025-14928 is a code injection vulnerability in Hugging Face Transformers affecting the HuBERT convert_config function. The flaw allows attackers to execute arbitrary Python code when a user converts a malicious model checkpoint. The vulnerability stems from insufficient validation of a user-supplied string that is passed to a Python code execution path [CWE-94]. Exploitation requires user interaction, specifically the conversion of an attacker-controlled checkpoint file. Successful exploitation grants code execution in the context of the current user, impacting confidentiality, integrity, and availability. The issue was reported through the Zero Day Initiative as ZDI-CAN-28253.
Critical Impact
Attackers who trick users into converting malicious HuBERT checkpoints can execute arbitrary code with the privileges of the user running Hugging Face Transformers, potentially compromising ML pipelines and workstations.
Affected Products
- Hugging Face Transformers 4.57.0
- Python environments importing the HuBERT conversion utilities
- ML pipelines that process untrusted model checkpoints
Discovery Timeline
- 2025-12-23 - CVE-2025-14928 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-14928
Vulnerability Analysis
The vulnerability resides in the convert_config function used during HuBERT checkpoint conversion within Hugging Face Transformers. The function accepts a string from a model checkpoint and uses it in a Python code execution context without adequate validation or sanitization. An attacker who crafts a malicious checkpoint can embed a payload that is executed when a victim runs the conversion routine. This falls under Improper Control of Generation of Code [CWE-94].
The attack surface is local because the payload must be delivered through a checkpoint file that the user chooses to convert. However, checkpoint files are routinely shared through model hubs, forums, and collaboration platforms, which broadens the practical reach of the flaw. The EPSS score is approximately 0.28%, reflecting no observed in-the-wild exploitation to date.
Root Cause
The root cause is unsafe handling of a user-supplied string during configuration conversion. The code path constructs or evaluates Python expressions using untrusted input from the checkpoint. Any string embedded in an attacker-controlled checkpoint is treated as executable code rather than data. There is no allowlist, syntax restriction, or sandboxing around the evaluation step.
Attack Vector
Exploitation requires an attacker to publish or share a malicious HuBERT checkpoint. The victim downloads the checkpoint and invokes the conversion utility that calls convert_config. The embedded payload executes with the victim's privileges. See the Zero Day Initiative Advisory ZDI-25-1146 for additional technical detail.
// No verified public proof-of-concept code is available at this time.
// The vulnerability is triggered when convert_config processes an
// attacker-controlled string field from a malicious HuBERT checkpoint,
// which is then executed as Python code.
Detection Methods for CVE-2025-14928
Indicators of Compromise
- Unexpected child processes spawned by Python interpreters running Hugging Face Transformers conversion scripts
- Outbound network connections initiated by Python processes shortly after checkpoint conversion
- HuBERT checkpoint files sourced from untrusted or unverified repositories
- New or modified files in user directories following execution of convert_config
Detection Strategies
- Monitor process trees where python or transformers conversion scripts spawn shells, package managers, or scripting interpreters
- Alert on exec, eval, or compile calls originating from checkpoint conversion workflows
- Log and review command lines invoking HuBERT conversion utilities against known-good checkpoint hashes
Monitoring Recommendations
- Track access to model checkpoint files across ML developer workstations and CI runners
- Baseline normal behavior of Hugging Face Transformers processes and alert on deviations
- Correlate checkpoint download events with subsequent process execution and network activity
How to Mitigate CVE-2025-14928
Immediate Actions Required
- Do not convert HuBERT checkpoints obtained from untrusted sources until a patched version is deployed
- Inventory systems running huggingface/transformers 4.57.0 and restrict use of the HuBERT conversion utilities
- Isolate ML conversion workflows in sandboxed environments with no access to production credentials
Patch Information
Refer to the Zero Day Initiative Advisory ZDI-25-1146 for coordinated disclosure details. Upgrade to a version of Hugging Face Transformers that addresses the convert_config code injection once released by the vendor. Monitor the official Hugging Face Transformers release notes and security channels for a fixed version.
Workarounds
- Restrict checkpoint sources to verified publishers and validate file provenance before conversion
- Run checkpoint conversion inside ephemeral containers or virtual machines without access to sensitive data
- Apply least-privilege principles to accounts executing model conversion utilities
- Use file integrity monitoring on directories that store model checkpoints
# Example: run checkpoint conversion inside an isolated, non-privileged container
docker run --rm --network=none \
-v "$(pwd)/checkpoints:/data:ro" \
-u 1000:1000 \
python:3.11-slim \
python -c "print('run convert_config only on trusted checkpoints')"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

