CVE-2023-7018 — HIGH (CVSS 7.8) AI Security Vulnerability

CISO Take

Any team using HuggingFace Transformers before 4.36 is exposed to arbitrary code execution whenever a model file is loaded — a routine operation in every ML workflow. The attack surface is broad: malicious models can be distributed via HuggingFace Hub, shared repositories, or internal model registries with no network-level indicator of compromise. Patch immediately to 4.36+ and enforce model provenance controls across all pipelines.

Risk Assessment

High risk for organizations with active ML pipelines. Exploitation requires only that a practitioner or automated job loads a crafted model file — a trivially triggered action requiring no attacker privileges. Pickle-based deserialization exploits are well-documented and tooling exists; sophistication barrier is low. Blast radius extends to the full execution environment: workstation, training cluster, or inference server, including cloud credentials and proprietary model weights stored in memory.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
transformers	pip	—	No patch
160.4K OpenSSF 4.9 7.9K dependents Pushed yesterday 39% patched ~101d to patch Full package profile →

Do you use transformers? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 42% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

Recommended Action

6 steps

Upgrade to transformers >= 4.36 immediately across all environments (dev, staging, production).
Audit all model loading code paths — identify where models are loaded from external, shared, or user-supplied sources.
Enforce model provenance: restrict loading to internally verified registries; block arbitrary from_pretrained() calls to public Hub in production.
Adopt safetensors format: use safe_serialization=True when saving models to avoid pickle entirely.
Deploy ModelScan or equivalent tooling to scan model files before loading in CI/CD and production.
Detection: monitor for unexpected subprocess spawns, outbound connections, or file writes originating from ML training/inference processes.

Classification

Supply Chain Code Execution Framework Model AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0058 - Publish Poisoned Models

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.1 - AI risk assessment A.7.4 - AI system security controls

NIST AI RMF

GOVERN-6.2 - AI risk in the supply chain MANAGE-2.2 - Mechanisms to manage identified AI risks

OWASP LLM Top 10

LLM03 - Supply Chain

Frequently Asked Questions

What is CVE-2023-7018?

Any team using HuggingFace Transformers before 4.36 is exposed to arbitrary code execution whenever a model file is loaded — a routine operation in every ML workflow. The attack surface is broad: malicious models can be distributed via HuggingFace Hub, shared repositories, or internal model registries with no network-level indicator of compromise. Patch immediately to 4.36+ and enforce model provenance controls across all pipelines.

Is CVE-2023-7018 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-7018, increasing the risk of exploitation.

How to fix CVE-2023-7018?

1. Upgrade to transformers >= 4.36 immediately across all environments (dev, staging, production). 2. Audit all model loading code paths — identify where models are loaded from external, shared, or user-supplied sources. 3. Enforce model provenance: restrict loading to internally verified registries; block arbitrary from_pretrained() calls to public Hub in production. 4. Adopt safetensors format: use safe_serialization=True when saving models to avoid pickle entirely. 5. Deploy ModelScan or equivalent tooling to scan model files before loading in CI/CD and production. 6. Detection: monitor for unexpected subprocess spawns, outbound connections, or file writes originating from ML training/inference processes.

What systems are affected by CVE-2023-7018?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, fine-tuning workflows, agent frameworks, MLOps/CI-CD pipelines.

What is the CVSS score for CVE-2023-7018?

CVE-2023-7018 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.20%.

Technical Details

NVD Description

Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.

Exploitation Scenario

An adversary crafts a malicious Transformers model file embedding a Python pickle payload with __reduce__ hooks that execute arbitrary shell commands on deserialization. The file is published to HuggingFace Hub under a typosquatted name resembling a popular model (e.g., 'bert-base-uncaseed'). A data scientist runs AutoModel.from_pretrained('attacker/bert-base-uncaseed') and RCE fires silently during deserialization — before any weights are processed and without raising obvious errors. The attacker gains shell access to the ML workstation or cloud training instance, pivoting to cloud IAM credentials, training data stores, and proprietary fine-tuned model weights.