CVE-2023-2800: Transformers temp file race

CISO Take

Low-urgency issue for most environments: exploitation requires local access to the same machine running transformers, plus precise timing. Upgrade to transformers>=4.30.0 as routine maintenance. Priority is elevated only if you run multi-tenant shared GPU clusters or CI/CD pipelines where untrusted users share compute with model training jobs.

What is the risk?

MEDIUM with low practical urgency. CVSS 4.7 reflects the local-only attack vector (AV:L) and high complexity (AC:H) required to win the race condition. EPSS 0.00021 signals near-zero observed exploitation in the wild. Impact is confined to availability (C:N/I:N/A:H), meaning an attacker disrupts training/inference jobs but cannot exfiltrate models or data. Real risk surfaces primarily in shared HPC or Kubernetes GPU environments where multiple users share the same node filesystem.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Transformers	pip	—	No patch
161.8K OpenSSF 6.4 8.3K dependents Pushed 4d ago 40% patched ~92d to patch Full package profile →
Transformers	pip	< 4.30.0	`4.30.0`
161.8K OpenSSF 6.4 8.3K dependents Pushed 4d ago 40% patched ~92d to patch Full package profile →

How severe is it?

CVSS 3.1

4.7 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 20% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC High

PR Low

UI None

S Unchanged

C None

I None

A High

What should I do?

4 steps

PATCH

Upgrade transformers to >=4.30.0 immediately via pip install --upgrade transformers. Patch commit: 80ca92470938bbcc348e2d9cf4734c7c25cb1c43.
WORKAROUND (if upgrade blocked): Set TMPDIR to a directory with strict 0700 permissions owned by the service account, eliminating cross-user temp file access.
DETECTION

Monitor for unusual file creation patterns in /tmp during model load operations; alert on SIGABRT or IOError exceptions in transformers processes on shared nodes.
ARCHITECTURE

Run training jobs in isolated containers (one user per pod) to eliminate the local access requirement entirely.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Supply Chain Framework Training Data AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0037 - Data from Local System

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.17 - Quality management system — technical robustness and reliability

ISO 42001

A.6.1.4 - AI system lifecycle — dependency and supply chain security

NIST AI RMF

GOVERN-6.1 - Policies for AI risk identification and prioritization MANAGE-2.2 - Mechanisms are in place to sustain AI risk management

Frequently Asked Questions

What is CVE-2023-2800?

Low-urgency issue for most environments: exploitation requires local access to the same machine running transformers, plus precise timing. Upgrade to transformers>=4.30.0 as routine maintenance. Priority is elevated only if you run multi-tenant shared GPU clusters or CI/CD pipelines where untrusted users share compute with model training jobs.

Is CVE-2023-2800 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-2800, increasing the risk of exploitation.

How to fix CVE-2023-2800?

1. PATCH: Upgrade transformers to >=4.30.0 immediately via `pip install --upgrade transformers`. Patch commit: 80ca92470938bbcc348e2d9cf4734c7c25cb1c43. 2. WORKAROUND (if upgrade blocked): Set TMPDIR to a directory with strict 0700 permissions owned by the service account, eliminating cross-user temp file access. 3. DETECTION: Monitor for unusual file creation patterns in /tmp during model load operations; alert on SIGABRT or IOError exceptions in transformers processes on shared nodes. 4. ARCHITECTURE: Run training jobs in isolated containers (one user per pod) to eliminate the local access requirement entirely.

What systems are affected by CVE-2023-2800?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps pipelines, CI/CD model evaluation.

What is the CVSS score for CVE-2023-2800?

CVE-2023-2800 has a CVSS v3.1 base score of 4.7 (MEDIUM). The EPSS exploitation probability is 0.28%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingMLOps pipelinesCI/CD model evaluation

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0037 Data from Local System

Compliance Controls Affected

EU AI Act: Art.17

ISO 42001: A.6.1.4

NIST AI RMF: GOVERN-6.1, MANAGE-2.2

What are the technical details?

Original Advisory

Insecure Temporary File in GitHub repository huggingface/transformers prior to 4.30.0.

Exploitation Scenario

An adversary with a low-privilege shell account on a shared GPU cluster waits for a co-tenant's transformers-based training job to start. During model download or tokenizer caching, transformers creates a predictable temporary file path. The adversary pre-creates a symlink at that path pointing to a critical system file or simply races to modify/delete the temp file mid-operation (TOCTOU). This causes the training process to crash with an IOError or PermissionError, achieving denial-of-service against the victim's compute job — wasting GPU time and potentially corrupting incomplete checkpoint files if the crash occurs mid-save.