AI Threat Alert

CVE-2025-14926: transformers: Code Injection enables RCE

UNKNOWN
Published December 23, 2025
CISO Take

CVE-2025-14926 is a code injection flaw in Hugging Face Transformers that allows RCE when converting malicious model checkpoints. Any team that downloads and converts third-party models — a common MLOps practice — is at risk. Immediately audit Transformers usage across your ML pipelines, patch to a fixed version, and enforce a model provenance policy restricting checkpoint sources to verified publishers.

What is the risk?

High risk for organizations running ML pipelines that ingest external or community-sourced model checkpoints. While user interaction is required (a practitioner must explicitly run convert_config on a malicious checkpoint), this is standard MLOps behavior when fine-tuning or porting models. The HuggingFace Hub's open-publishing model makes distribution of weaponized checkpoints trivial. No CVSS score is yet assigned, but the CWE-94 (Code Injection) primitive resulting in arbitrary RCE places practical severity at Critical for affected workflows. EPSS is unavailable but exploit complexity is moderate given the well-understood nature of unsafe deserialization/eval patterns in Python ML tooling.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Transformers pip No patch
161.8K OpenSSF 6.4 8.3K dependents Pushed 6d ago 40% patched ~92d to patch Full package profile →

Do you use Transformers? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
0.3%
chance of exploitation in 30 days
Higher than 19% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What should I do?

6 steps

  1. PATCH

    Upgrade Hugging Face Transformers to the patched version once released; monitor https://github.com/huggingface/transformers/security/advisories for the fix.

  2. RESTRICT SOURCES

    Enforce a model allowlist — only load checkpoints from verified organizational accounts or cryptographically signed sources. Block unauthenticated HuggingFace Hub downloads in production pipelines.

  3. SANDBOX

    Run all model conversion and checkpoint loading operations inside isolated containers or VMs with no network access and minimal filesystem permissions.

  4. AUDIT CODE

    Search codebase for calls to convert_config and any eval/exec patterns in Transformers-dependent code.

  5. DETECT

    Alert on unexpected child process spawning from Python ML processes, outbound connections from training/inference hosts, and anomalous file writes in model storage directories.

  6. INTERIM WORKAROUND

    Disable or gate the convert_config workflow until patched; require security review before introducing new model checkpoints into any pipeline.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Model AML.T0010.001 AML.T0010.003 AML.T0011.000 AML.T0018.002 AML.T0050 AML.T0058 AML.T0072

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 17 - Quality management system Art. 9 - Risk management system Art.15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.10.2 - AI system supply chain management A.6.2 - AI risk assessment A.6.2.6 - AI system supply chain security A.9.3 - AI system security controls
NIST AI RMF
GOVERN 1.7 - Processes for tracking AI risks GOVERN 6.2 - Policies and procedures are in place for AI risk management of third-party AI components MANAGE 2.2 - Mechanisms for responding to AI risks
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-14926?

CVE-2025-14926 is a code injection flaw in Hugging Face Transformers that allows RCE when converting malicious model checkpoints. Any team that downloads and converts third-party models — a common MLOps practice — is at risk. Immediately audit Transformers usage across your ML pipelines, patch to a fixed version, and enforce a model provenance policy restricting checkpoint sources to verified publishers.

Is CVE-2025-14926 actively exploited?

No confirmed active exploitation of CVE-2025-14926 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-14926?

1. PATCH: Upgrade Hugging Face Transformers to the patched version once released; monitor https://github.com/huggingface/transformers/security/advisories for the fix. 2. RESTRICT SOURCES: Enforce a model allowlist — only load checkpoints from verified organizational accounts or cryptographically signed sources. Block unauthenticated HuggingFace Hub downloads in production pipelines. 3. SANDBOX: Run all model conversion and checkpoint loading operations inside isolated containers or VMs with no network access and minimal filesystem permissions. 4. AUDIT CODE: Search codebase for calls to convert_config and any eval/exec patterns in Transformers-dependent code. 5. DETECT: Alert on unexpected child process spawning from Python ML processes, outbound connections from training/inference hosts, and anomalous file writes in model storage directories. 6. INTERIM WORKAROUND: Disable or gate the convert_config workflow until patched; require security review before introducing new model checkpoints into any pipeline.

What systems are affected by CVE-2025-14926?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model fine-tuning workflows, MLOps model conversion utilities, model serving (pre-deployment conversion stage), CI/CD pipelines with automated model validation.

What is the CVSS score for CVE-2025-14926?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel fine-tuning workflowsMLOps model conversion utilitiesmodel serving (pre-deployment conversion stage)CI/CD pipelines with automated model validation

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0010.003 Model
AML.T0011.000 Unsafe AI Artifacts
AML.T0018.002 Embed Malware
AML.T0050 Command and Scripting Interpreter
AML.T0058 Publish Poisoned Models
AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Art. 17, Art. 9, Art.15
ISO 42001: A.10.2, A.6.2, A.6.2.6, A.9.3
NIST AI RMF: GOVERN 1.7, GOVERN 6.2, MANAGE 2.2
OWASP LLM Top 10: LLM03, LLM03:2025

What are the technical details?

Original Advisory

Hugging Face Transformers SEW convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint. The specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28251.

Exploitation Scenario

An adversary creates a Hugging Face account and publishes a SEW model checkpoint with a maliciously crafted configuration file. The config contains a payload exploiting the lack of input validation in convert_config — for example, a string value that is passed directly to exec() or eval() in the Python runtime. The attacker promotes the model on social media, AI forums, or submits it as a dependency update to an open-source project. A data scientist or automated MLOps pipeline downloads and calls convert_config on the checkpoint during model evaluation or fine-tuning preparation. Arbitrary code executes with the privileges of the ML process — potentially exfiltrating API keys from environment variables, pivoting to cloud storage containing proprietary training data, or establishing persistence on GPU training infrastructure.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

  • [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
  • [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

References

Timeline

Published
December 23, 2025
Last Modified
January 15, 2026
First Seen
December 23, 2025

Related Vulnerabilities

CRITICAL CVE-2026-26210 9.8

KTransformers: pickle RCE via unauthenticated ZMQ socket

Same package: transformers
CRITICAL CVE-2024-3568 9.6

HuggingFace Transformers: RCE via pickle deserialization

Same package: transformers
CRITICAL CVE-2026-5241 9.6

transformers: trust_remote_code bypass enables RCE via model load

Same package: transformers
HIGH CVE-2024-11393 8.8

Transformers: RCE via MaskFormer model deserialization

Same package: transformers
HIGH CVE-2023-6730 8.8

HuggingFace Transformers: RCE via unsafe deserialization

Same package: transformers
Back to Threat Feed