Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-14929

CVE-2025-14929: Hugging Face Transformers RCE Vulnerability

CVE-2025-14929 is a remote code execution vulnerability in Hugging Face Transformers X-CLIP checkpoint conversion caused by deserialization of untrusted data. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-14929 Overview

CVE-2025-14929 is a deserialization of untrusted data vulnerability [CWE-502] in Hugging Face Transformers. The flaw resides in the X-CLIP checkpoint conversion logic, which parses checkpoint files without properly validating user-supplied data. Attackers can craft a malicious checkpoint that triggers arbitrary code execution when loaded by a victim. Exploitation requires user interaction, such as opening a malicious file or visiting a malicious page that initiates the conversion. The issue was reported through the Zero Day Initiative as ZDI-CAN-28308 and tracked publicly as ZDI-25-1144. Code executes in the context of the current process, exposing developer workstations and ML pipelines that ingest third-party model artifacts.

Critical Impact

A malicious X-CLIP checkpoint loaded by Hugging Face Transformers executes arbitrary code with the privileges of the user running the conversion, enabling full compromise of ML developer and pipeline hosts.

Affected Products

  • Hugging Face Transformers 5.0.0:rc0
  • ML pipelines and notebooks that invoke X-CLIP checkpoint conversion utilities
  • Developer workstations that load untrusted model checkpoints from public repositories

Discovery Timeline

  • 2025-12-23 - CVE-2025-14929 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-14929

Vulnerability Analysis

The vulnerability exists in the X-CLIP checkpoint conversion routine inside Hugging Face Transformers. Checkpoint conversion code paths load serialized Python objects from disk to translate upstream model weights into the Transformers format. The conversion logic accepts attacker-controlled checkpoint files and deserializes embedded objects without first validating their type or origin. An attacker who controls or substitutes a checkpoint file can embed a malicious object whose deserialization triggers arbitrary Python execution. Successful exploitation runs attacker code with the same privileges as the user invoking the conversion script, typically a data scientist or CI worker with broad access to source code, credentials, and model registries.

Root Cause

The root cause is unsafe deserialization of untrusted data [CWE-502]. The X-CLIP conversion path relies on a Python pickle-style loader without integrity verification or a restricted unpickler. Any object graph stored in the checkpoint is reconstructed verbatim, including objects that implement __reduce__ to invoke shell commands or import arbitrary modules. The library does not enforce signature checks, allowlists of safe classes, or sandboxed loading for the conversion utility.

Attack Vector

Exploitation requires user interaction. The attacker publishes a malicious X-CLIP checkpoint to a public model hub, embeds it in a repository, or delivers it through a phishing lure. When the victim runs the conversion utility against the file, the embedded payload executes locally. Although the CVSS vector identifies the attack as local with required user interaction, the realistic delivery surface includes any workflow that ingests community-supplied weights, including automated training pipelines.

No proof-of-concept code has been published. Refer to the Zero Day Initiative Advisory ZDI-25-1144 for vendor-coordinated technical details.

Detection Methods for CVE-2025-14929

Indicators of Compromise

  • Unexpected child processes spawned from Python interpreters running Transformers conversion scripts, especially shells, curl, wget, or package managers.
  • Outbound network connections from data science workstations or training nodes immediately following checkpoint loading.
  • New or modified files in user home directories, ~/.ssh, or cron locations created during model conversion.

Detection Strategies

  • Monitor execution of X-CLIP conversion scripts and correlate with process lineage to detect unexpected subprocesses.
  • Inspect checkpoint files for Python pickle opcodes such as GLOBAL, REDUCE, or INST referencing modules like os, subprocess, or posix.
  • Alert on Python processes that load files from world-writable or recently downloaded directories and then initiate network or filesystem changes.

Monitoring Recommendations

  • Enable command-line and process-tree logging on ML developer endpoints and training infrastructure.
  • Track filesystem writes triggered by Python processes during model ingestion workflows.
  • Forward endpoint telemetry to a centralized analytics platform to correlate checkpoint loads with subsequent suspicious activity.

How to Mitigate CVE-2025-14929

Immediate Actions Required

  • Inventory hosts running Hugging Face Transformers 5.0.0:rc0 and restrict the use of X-CLIP checkpoint conversion until a fixed release is applied.
  • Treat all checkpoints from untrusted sources as executable code and review provenance before loading.
  • Run conversion utilities in isolated, non-privileged containers without access to credentials or production networks.

Patch Information

No fixed version is listed in the NVD record at publication time. Monitor the Zero Day Initiative Advisory ZDI-25-1144 and the Hugging Face Transformers release notes for a patched build, then upgrade affected installations to the corrected version once published.

Workarounds

  • Load model weights only in the safetensors format, which does not execute arbitrary code during deserialization.
  • Restrict checkpoint sources to internally signed artifacts and verify hashes before conversion.
  • Execute conversion scripts inside ephemeral sandboxes with no outbound network access and minimal filesystem privileges.
  • Apply least-privilege user accounts for data science workflows so that compromise does not yield administrative access.
bash
# Configuration example: run X-CLIP checkpoint conversion inside an isolated container
docker run --rm \
  --network=none \
  --read-only \
  --tmpfs /tmp \
  --user 1000:1000 \
  -v "$(pwd)/checkpoints:/data:ro" \
  python:3.11-slim \
  python -m transformers.models.x_clip.convert_x_clip_original_pytorch_to_hf \
    --checkpoint_path /data/untrusted.bin \
    --pytorch_dump_folder_path /tmp/out

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.