CVE-2025-14924: Transformers Deserialization

CISO Take

Any team loading Megatron-GPT2 checkpoints via Hugging Face Transformers is exposed to arbitrary code execution at model-load time — patch or restrict checkpoint ingestion immediately. The real danger is not direct attacks but poisoned model files distributed via Hugging Face Hub, internal model registries, or third-party model repositories that your ML pipelines load automatically. Audit all automated checkpoint-loading workflows and enforce allowlists of trusted model sources before resuming normal operations.

What is the risk?

Effective severity is HIGH despite the N/A CVSS. Deserialization RCE in a Python ML library (almost certainly pickle-based) is trivially exploitable once a malicious checkpoint is in the loading path — exploitation requires no authentication, no privileges, and only user-level interaction (opening a file or visiting a page that triggers a download). The blast radius is significant: ML training and inference processes typically run with broad filesystem and network access, making post-exploitation lateral movement straightforward. Exposure is wide given Transformers is the dominant ML framework and Megatron-GPT2 is used in large-scale LLM training pipelines at enterprise scale.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Transformers	pip	—	No patch
161.8K OpenSSF 6.4 8.3K dependents Pushed 6d ago 40% patched ~92d to patch Full package profile →

Do you use Transformers? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

0.3%

chance of exploitation in 30 days

Higher than 17% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

6 steps

PATCH

Upgrade Hugging Face Transformers to the patched version as soon as ZDI-25-1141 discloses the fixed release. Monitor the Transformers GitHub releases page.
RESTRICT

Block loading of checkpoints from unverified sources in all automated pipelines; implement SHA-256 hash verification of checkpoint files against a trusted manifest before deserialization.
SANDBOX

Run checkpoint loading in isolated environments (containers with no network egress, restricted filesystem mounts) to limit post-exploit blast radius.
AUDIT

Review all pipeline code that calls megatron_gpt2 loading functions; grep for torch.load, pickle.load, and equivalent calls without weights_only=True.
DETECT

Alert on unexpected outbound network connections or filesystem writes originating from training/inference processes; these are canary indicators of post-exploit activity.
POLICY

Enforce a model provenance policy — only load checkpoints from internal registries with signed provenance records.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Model AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0058 - Publish Poisoned Models AML.T0078 - Drive-by Compromise AML.T0079 - Stage Capabilities

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.1.4 - AI supply chain A.6.1.5 - AI system supply chain management A.9.1 - AI system operation, monitoring and review A.9.4 - AI system security

NIST AI RMF

GOVERN 6.1 - Policies and procedures for AI supply chain risk MANAGE 2.2 - Mechanisms to sustain and manage identified AI risks MANAGE 2.4 - Mechanisms to sustain treatment of identified risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-14924?

Any team loading Megatron-GPT2 checkpoints via Hugging Face Transformers is exposed to arbitrary code execution at model-load time — patch or restrict checkpoint ingestion immediately. The real danger is not direct attacks but poisoned model files distributed via Hugging Face Hub, internal model registries, or third-party model repositories that your ML pipelines load automatically. Audit all automated checkpoint-loading workflows and enforce allowlists of trusted model sources before resuming normal operations.

Is CVE-2025-14924 actively exploited?

No confirmed active exploitation of CVE-2025-14924 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-14924?

1. PATCH: Upgrade Hugging Face Transformers to the patched version as soon as ZDI-25-1141 discloses the fixed release. Monitor the Transformers GitHub releases page. 2. RESTRICT: Block loading of checkpoints from unverified sources in all automated pipelines; implement SHA-256 hash verification of checkpoint files against a trusted manifest before deserialization. 3. SANDBOX: Run checkpoint loading in isolated environments (containers with no network egress, restricted filesystem mounts) to limit post-exploit blast radius. 4. AUDIT: Review all pipeline code that calls megatron_gpt2 loading functions; grep for `torch.load`, `pickle.load`, and equivalent calls without `weights_only=True`. 5. DETECT: Alert on unexpected outbound network connections or filesystem writes originating from training/inference processes; these are canary indicators of post-exploit activity. 6. POLICY: Enforce a model provenance policy — only load checkpoints from internal registries with signed provenance records.

What systems are affected by CVE-2025-14924?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps pipelines, model registries, research and experimentation environments.

What is the CVSS score for CVE-2025-14924?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingMLOps pipelinesmodel registriesresearch and experimentation environments

MITRE ATLAS Techniques

AML.T0010.003 Model

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0058 Publish Poisoned Models

AML.T0078 Drive-by Compromise

AML.T0079 Stage Capabilities

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.1.4, A.6.1.5, A.9.1, A.9.4

NIST AI RMF: GOVERN 6.1, MANAGE 2.2, MANAGE 2.4

OWASP LLM Top 10: LLM03:2025, LLM05:2025

What are the technical details?

Original Advisory

Hugging Face Transformers megatron_gpt2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27984.

Exploitation Scenario

An adversary publishes a seemingly legitimate Megatron-GPT2 fine-tuned checkpoint to Hugging Face Hub, embedding a malicious pickle payload in the checkpoint file. They promote it via AI community forums or social media targeting ML engineers. A data scientist at a target organization downloads and loads the checkpoint using the standard Transformers API. The deserialization step triggers the embedded payload, executing a reverse shell or credential-harvesting script in the context of the training process — which typically runs with broad permissions on GPU infrastructure. Alternatively, an attacker who has compromised a model registry or S3 bucket used by an automated MLOps pipeline can inject the malicious checkpoint, achieving RCE without any direct user interaction beyond the pipeline's normal execution.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.