AI Threat Alert

CVE-2025-14920: transformers: Deserialization enables RCE

UNKNOWN
Published December 23, 2025
CISO Take

CVE-2025-14920 is a deserialization RCE in Hugging Face Transformers' Perceiver model loader — an attacker can achieve full code execution on any system that loads a malicious model file. Organizations pulling models from HuggingFace Hub, shared drives, or external sources are directly exposed. Immediate action: audit where Transformers is deployed, restrict model loading to verified/signed sources, and patch or pin to a fixed version once available.

What is the risk?

High risk despite missing CVSS score. CWE-502 deserialization flaws are historically scored 8.8–9.8 when paired with RCE impact. The attack requires user interaction (loading a malicious file), which lowers opportunistic risk but is trivially bypassed in ML workflows where engineers routinely download third-party models. The real threat vector is supply chain: a poisoned model uploaded to HuggingFace Hub or a shared S3 bucket. AI/ML teams run Transformers locally with full user privileges, compounding blast radius. No patch or CVSS details published yet as of the disclosure date (2025-12-23), indicating early-stage disclosure.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Transformers pip No patch
161.8K OpenSSF 6.4 8.3K dependents Pushed 6d ago 40% patched ~92d to patch Full package profile →

Do you use Transformers? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
0.3%
chance of exploitation in 30 days
Higher than 17% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

What should I do?

7 steps

  1. PATCH

    Monitor HuggingFace Transformers releases for a fix targeting the Perceiver model file parser; pin to patched version immediately.

  2. INVENTORY

    Identify all environments with transformers installed that load Perceiver models (grep -r 'Perceiver' --include='*.py').

  3. RESTRICT MODEL SOURCES

    Enforce allowlisting — only load models from internal artifact registries with SHA-256 hash verification. Reject models from arbitrary URLs or unverified Hub accounts.

  4. SANDBOX

    Run model loading in isolated environments (separate containers/VMs with no network egress) and inspect model files with tools like fickling before loading in production.

  5. DETECT

    Alert on unexpected network connections or child process spawns from Python ML processes.

  6. WORKAROUND

    If Perceiver models are not in use, block their loading at the framework level or remove the model class from the import path.

  7. REVIEW

    Audit recent downloads of Perceiver model files from public registries for tampering.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Code Execution Framework Model AML.T0002.001 AML.T0010.003 AML.T0011.000 AML.T0018.002 AML.T0058 AML.T0078

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 17 - Quality management system Article 9 - Risk management system
ISO 42001
A.10.1 - AI system supply chain security A.6.1.3 - AI supply chain security A.8.4 - AI system technical security
NIST AI RMF
GOVERN-6.1 - AI supply chain risk management GV-1.6 - Organizational risk tolerance MANAGE-2.2 - Mechanisms to respond to AI risks MS-2.5 - Practices and personnel for AI risk management
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-14920?

CVE-2025-14920 is a deserialization RCE in Hugging Face Transformers' Perceiver model loader — an attacker can achieve full code execution on any system that loads a malicious model file. Organizations pulling models from HuggingFace Hub, shared drives, or external sources are directly exposed. Immediate action: audit where Transformers is deployed, restrict model loading to verified/signed sources, and patch or pin to a fixed version once available.

Is CVE-2025-14920 actively exploited?

No confirmed active exploitation of CVE-2025-14920 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-14920?

1. PATCH: Monitor HuggingFace Transformers releases for a fix targeting the Perceiver model file parser; pin to patched version immediately. 2. INVENTORY: Identify all environments with `transformers` installed that load Perceiver models (`grep -r 'Perceiver' --include='*.py'`). 3. RESTRICT MODEL SOURCES: Enforce allowlisting — only load models from internal artifact registries with SHA-256 hash verification. Reject models from arbitrary URLs or unverified Hub accounts. 4. SANDBOX: Run model loading in isolated environments (separate containers/VMs with no network egress) and inspect model files with tools like `fickling` before loading in production. 5. DETECT: Alert on unexpected network connections or child process spawns from Python ML processes. 6. WORKAROUND: If Perceiver models are not in use, block their loading at the framework level or remove the model class from the import path. 7. REVIEW: Audit recent downloads of Perceiver model files from public registries for tampering.

What systems are affected by CVE-2025-14920?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, MLOps platforms, data science environments, model registries.

What is the CVSS score for CVE-2025-14920?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesMLOps platformsdata science environmentsmodel registries

MITRE ATLAS Techniques

AML.T0002.001 Models
AML.T0010.003 Model
AML.T0011.000 Unsafe AI Artifacts
AML.T0018.002 Embed Malware
AML.T0058 Publish Poisoned Models
AML.T0078 Drive-by Compromise

Compliance Controls Affected

EU AI Act: Article 15, Article 17, Article 9
ISO 42001: A.10.1, A.6.1.3, A.8.4
NIST AI RMF: GOVERN-6.1, GV-1.6, MANAGE-2.2, MS-2.5
OWASP LLM Top 10: LLM03:2025, LLM05

What are the technical details?

Original Advisory

Hugging Face Transformers Perceiver Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25423.

Exploitation Scenario

An adversary crafts a malicious Perceiver model file containing a serialized Python object that executes arbitrary commands upon deserialization (classic pickle exploit pattern: `__reduce__` returning `os.system` or `subprocess`). The attacker uploads this model to HuggingFace Hub under a plausible name (e.g., 'perceiver-base-finetuned-images-v2'). A data scientist or automated pipeline calls `PerceiverModel.from_pretrained('attacker/perceiver-base-finetuned-images-v2')`, the Transformers library deserializes the model file without validation, and the payload executes — establishing a reverse shell, exfiltrating API keys from environment variables, or pivoting to internal infrastructure. In CI/CD contexts where models are pulled during training jobs, this achieves server-side RCE with no further attacker interaction.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

  • [Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
  • [Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.

References

Timeline

Published
December 23, 2025
Last Modified
January 21, 2026
First Seen
December 23, 2025

Related Vulnerabilities

CRITICAL CVE-2026-26210 9.8

KTransformers: pickle RCE via unauthenticated ZMQ socket

Same package: transformers
CRITICAL CVE-2024-3568 9.6

HuggingFace Transformers: RCE via pickle deserialization

Same package: transformers
CRITICAL CVE-2026-5241 9.6

transformers: trust_remote_code bypass enables RCE via model load

Same package: transformers
HIGH CVE-2024-11393 8.8

Transformers: RCE via MaskFormer model deserialization

Same package: transformers
HIGH CVE-2023-6730 8.8

HuggingFace Transformers: RCE via unsafe deserialization

Same package: transformers
Back to Threat Feed