AI Threat Alert

CVE-2023-7018: Transformers: unsafe deserialization enables RCE on load

HIGH PoC AVAILABLE
Published December 20, 2023
CISO Take

Any team using HuggingFace Transformers before 4.36 is exposed to arbitrary code execution whenever a model file is loaded — a routine operation in every ML workflow. The attack surface is broad: malicious models can be distributed via HuggingFace Hub, shared repositories, or internal model registries with no network-level indicator of compromise. Patch immediately to 4.36+ and enforce model provenance controls across all pipelines.

What is the risk?

High risk for organizations with active ML pipelines. Exploitation requires only that a practitioner or automated job loads a crafted model file — a trivially triggered action requiring no attacker privileges. Pickle-based deserialization exploits are well-documented and tooling exists; sophistication barrier is low. Blast radius extends to the full execution environment: workstation, training cluster, or inference server, including cloud credentials and proprietary model weights stored in memory.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Transformers pip No patch
161.8K OpenSSF 6.4 8.3K dependents Pushed 4d ago 40% patched ~92d to patch Full package profile →

Do you use Transformers? You're affected.

How severe is it?

CVSS 3.1
7.8 / 10
EPSS
0.7%
chance of exploitation in 30 days
Higher than 49% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR None
UI Required
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. Upgrade to transformers >= 4.36 immediately across all environments (dev, staging, production).

  2. Audit all model loading code paths — identify where models are loaded from external, shared, or user-supplied sources.

  3. Enforce model provenance: restrict loading to internally verified registries; block arbitrary from_pretrained() calls to public Hub in production.

  4. Adopt safetensors format: use safe_serialization=True when saving models to avoid pickle entirely.

  5. Deploy ModelScan or equivalent tooling to scan model files before loading in CI/CD and production.

  6. Detection: monitor for unexpected subprocess spawns, outbound connections, or file writes originating from ML training/inference processes.

How is it classified?

Supply Chain Code Execution Framework Model AML.T0010.001 AML.T0011 AML.T0011.000 AML.T0018.002 AML.T0058

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.1 - AI risk assessment A.7.4 - AI system security controls
NIST AI RMF
GOVERN-6.2 - AI risk in the supply chain MANAGE-2.2 - Mechanisms to manage identified AI risks
OWASP LLM Top 10
LLM03 - Supply Chain

Frequently Asked Questions

What is CVE-2023-7018?

Any team using HuggingFace Transformers before 4.36 is exposed to arbitrary code execution whenever a model file is loaded — a routine operation in every ML workflow. The attack surface is broad: malicious models can be distributed via HuggingFace Hub, shared repositories, or internal model registries with no network-level indicator of compromise. Patch immediately to 4.36+ and enforce model provenance controls across all pipelines.

Is CVE-2023-7018 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-7018, increasing the risk of exploitation.

How to fix CVE-2023-7018?

1. Upgrade to transformers >= 4.36 immediately across all environments (dev, staging, production). 2. Audit all model loading code paths — identify where models are loaded from external, shared, or user-supplied sources. 3. Enforce model provenance: restrict loading to internally verified registries; block arbitrary from_pretrained() calls to public Hub in production. 4. Adopt safetensors format: use safe_serialization=True when saving models to avoid pickle entirely. 5. Deploy ModelScan or equivalent tooling to scan model files before loading in CI/CD and production. 6. Detection: monitor for unexpected subprocess spawns, outbound connections, or file writes originating from ML training/inference processes.

What systems are affected by CVE-2023-7018?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, fine-tuning workflows, agent frameworks, MLOps/CI-CD pipelines.

What is the CVSS score for CVE-2023-7018?

CVE-2023-7018 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.73%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingfine-tuning workflowsagent frameworksMLOps/CI-CD pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0011 User Execution
AML.T0011.000 Unsafe AI Artifacts
AML.T0018.002 Embed Malware
AML.T0058 Publish Poisoned Models

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: A.6.1, A.7.4
NIST AI RMF: GOVERN-6.2, MANAGE-2.2
OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.

Exploitation Scenario

An adversary crafts a malicious Transformers model file embedding a Python pickle payload with __reduce__ hooks that execute arbitrary shell commands on deserialization. The file is published to HuggingFace Hub under a typosquatted name resembling a popular model (e.g., 'bert-base-uncaseed'). A data scientist runs AutoModel.from_pretrained('attacker/bert-base-uncaseed') and RCE fires silently during deserialization — before any weights are processed and without raising obvious errors. The attacker gains shell access to the ML workstation or cloud training instance, pivoting to cloud IAM credentials, training data stores, and proprietary fine-tuned model weights.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

  • [Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
  • [Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Timeline

Published
December 20, 2023
Last Modified
November 21, 2024
First Seen
December 20, 2023

Related Vulnerabilities

CRITICAL CVE-2026-26210 9.8

KTransformers: pickle RCE via unauthenticated ZMQ socket

Same package: transformers
CRITICAL CVE-2024-3568 9.6

HuggingFace Transformers: RCE via pickle deserialization

Same package: transformers
CRITICAL CVE-2026-5241 9.6

transformers: trust_remote_code bypass enables RCE via model load

Same package: transformers
HIGH CVE-2024-11392 8.8

HuggingFace Transformers: RCE via config deserialization

Same package: transformers
HIGH CVE-2023-6730 8.8

HuggingFace Transformers: RCE via unsafe deserialization

Same package: transformers
Back to Threat Feed