Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-14930

CVE-2025-14930: Hugging Face Transformers RCE Vulnerability

CVE-2025-14930 is a remote code execution vulnerability in Hugging Face Transformers GLM4 that allows attackers to execute arbitrary code via malicious weights. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-14930 Overview

CVE-2025-14930 is a deserialization of untrusted data vulnerability [CWE-502] in the Hugging Face Transformers library. The flaw resides in the GLM4 model weight parsing logic, where user-supplied data is processed without proper validation. An attacker can craft a malicious model weights file that triggers arbitrary code execution when loaded by a victim. Exploitation requires user interaction, such as opening a malicious file or loading a model from an untrusted source. Successful exploitation results in code execution in the context of the process loading the model.

Critical Impact

An attacker who convinces a developer or data scientist to load a malicious GLM4 model can execute arbitrary code on the host, compromising machine learning pipelines, training data, and credentials available to the Python process.

Affected Products

  • Hugging Face Transformers 4.57.1
  • Python environments loading GLM4 model weights via the Transformers library
  • Machine learning pipelines that download or process third-party model artifacts

Discovery Timeline

  • 2025-12-23 - CVE-2025-14930 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-14930

Vulnerability Analysis

The vulnerability is an insecure deserialization issue within the GLM4 model loading path in Hugging Face Transformers. When the library parses model weight files supplied by a user, it deserializes embedded objects without enforcing strict type or content validation. Python deserialization primitives such as pickle allow arbitrary callable invocation during object reconstruction, which an attacker can abuse to run code on the host.

The vulnerability was reported through the Trend Micro Zero Day Initiative under tracking identifier ZDI-CAN-28309 and disclosed in advisory ZDI-25-1145. The EPSS probability is 0.262% as of the latest scoring.

Root Cause

The root cause is the absence of validation on weight file contents before deserialization. The GLM4 loader trusts the structure and types of objects produced during parsing. Because Python deserialization can construct objects with side effects, any tampered weight file can hijack control flow during model load and execute attacker-defined logic.

Attack Vector

Exploitation requires local access and user interaction. The attacker distributes a malicious GLM4 model artifact through a model hub, repository, shared filesystem, or phishing payload. When a developer or automated pipeline calls a loader such as from_pretrained against the attacker-controlled artifact, the embedded payload runs with the privileges of the loading process. The payload can exfiltrate credentials, modify training data, or pivot to other systems within the ML environment.

// No verified public exploit is available at this time.
// See ZDI-25-1145 for vendor-coordinated technical details.

Detection Methods for CVE-2025-14930

Indicators of Compromise

  • Unexpected child processes spawned by Python interpreters running transformers workloads, such as shells, curl, wget, or bash.
  • Outbound network connections from model loading processes to unfamiliar hosts shortly after a from_pretrained call.
  • Modification of model files (.bin, .pt, .safetensors variants, or pickled weight files) from non-trusted sources.
  • Presence of GLM4 weight files originating outside approved internal registries.

Detection Strategies

  • Monitor process trees for python or python3 parent processes spawning interactive shells or scripting interpreters during model load operations.
  • Inspect filesystem telemetry for newly written executable scripts or cron entries created by Python ML processes.
  • Hash and inventory GLM4 model artifacts before deployment and compare against known-good baselines from the official vendor source.
  • Apply YARA or static scanning rules to flag pickle opcodes such as GLOBAL, REDUCE, and BUILD in model weight payloads.

Monitoring Recommendations

  • Enable command-line and process-creation logging on all data science workstations and training nodes.
  • Forward Python application logs and ML framework logs to a centralized analytics platform for behavioral correlation.
  • Alert on first-seen executions of from_pretrained against repositories outside an approved allowlist.

How to Mitigate CVE-2025-14930

Immediate Actions Required

  • Restrict model loading to internally vetted GLM4 weights and block downloads from arbitrary third-party sources.
  • Inventory all hosts running huggingface transformers version 4.57.1 and prioritize them for remediation.
  • Run ML workloads under least-privilege service accounts isolated from production credentials and sensitive data stores.
  • Validate the integrity of all locally cached model artifacts against trusted hashes before reuse.

Patch Information

No vendor patch URL is listed in the NVD record at the time of writing. Refer to the Zero Day Initiative Advisory ZDI-25-1145 for vendor coordination status and upgrade guidance. Track the Hugging Face Transformers release notes for a fixed version superseding 4.57.1.

Workarounds

  • Load GLM4 models only from trusted, signed sources and prefer the safetensors serialization format where supported.
  • Disable automatic model downloads in CI/CD pipelines and require manual review of model provenance.
  • Run model loading inside sandboxed containers with no outbound network access and read-only filesystems where feasible.
  • Apply egress filtering on ML hosts to limit the impact of code execution payloads attempting external callbacks.
bash
# Example: run model loading in a restricted container with no network access
docker run --rm \
  --network=none \
  --read-only \
  --cap-drop=ALL \
  --user 1000:1000 \
  -v /trusted/models:/models:ro \
  python:3.11-slim \
  python -c "from transformers import AutoModel; AutoModel.from_pretrained('/models/glm4-verified')"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.