CVE-2025-14928 — UNKNOWN AI Security Vulnerability

CISO Take

CVE-2025-14928 is a code injection RCE in Hugging Face Transformers' HuBERT convert_config function — a malicious model checkpoint triggers arbitrary Python execution on the converting machine. If your ML teams pull and convert external HuBERT checkpoints, treat this as a critical supply chain risk: isolate conversion workflows immediately and block untrusted checkpoint sources until a patch is confirmed. This is the exact attack pattern attackers use to own ML infrastructure via 'innocent' model downloads.

Risk Assessment

High risk for any organization with active HuBERT model conversion workflows. While CVSS is pending and user interaction is required (the engineer must run the conversion), the attacker controls the exploit trigger by simply publishing a malicious checkpoint to HuggingFace Hub or delivering it via other channels. The attack surface is broad — ML engineers routinely download and convert public checkpoints without security review. RCE lands in the context of the data scientist or MLOps pipeline runner, which often has broad access to training infrastructure, cloud credentials, and internal data.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
transformers	pip	—	No patch
160.2K OpenSSF 4.9 7.8K dependents Pushed 6d ago 39% patched ~101d to patch Full package profile →

Do you use transformers? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

0.1%

chance of exploitation in 30 days

Higher than 34% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

7 steps

IMMEDIATE

Audit all pipelines using transformers' HuBERT convert_config — inventory where external checkpoints are consumed.
Block or quarantine conversion of HuBERT checkpoints from untrusted sources (anything outside your own model registry).
Run any checkpoint conversion in ephemeral, network-isolated containers with no access to production credentials or secrets.
Monitor for unexpected subprocess spawning or network connections originating from Python ML processes during model conversion.
Subscribe to transformers release notes (GitHub Advisory Database) for patch availability — no fixed version is confirmed yet per CVE data.
Apply least-privilege to ML pipeline service accounts so exploitation blast radius is contained.
Detection: alert on eval()/exec() calls in transformers processes via runtime security tools (Falco, eBPF-based) if feasible.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Code Execution Framework Model AML.T0010.003 - Model AML.T0011 - User Execution AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0050 - Command and Scripting Interpreter AML.T0058 - Publish Poisoned Models

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 17 - Quality Management System — Third Party Components Article 9 - Risk Management System

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system operation and monitoring A.6.1.6 - AI system supply chain management A.9.4 - AI system security

NIST AI RMF

GOVERN 1.6 - Policies and procedures for AI risk and supply chain MANAGE 2.2 - Mechanisms to sustain the value of deployed AI MAP 2.1 - Scientific findings and AI supply chain risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-14928?

CVE-2025-14928 is a code injection RCE in Hugging Face Transformers' HuBERT convert_config function — a malicious model checkpoint triggers arbitrary Python execution on the converting machine. If your ML teams pull and convert external HuBERT checkpoints, treat this as a critical supply chain risk: isolate conversion workflows immediately and block untrusted checkpoint sources until a patch is confirmed. This is the exact attack pattern attackers use to own ML infrastructure via 'innocent' model downloads.

Is CVE-2025-14928 actively exploited?

No confirmed active exploitation of CVE-2025-14928 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-14928?

1. IMMEDIATE: Audit all pipelines using transformers' HuBERT convert_config — inventory where external checkpoints are consumed. 2. Block or quarantine conversion of HuBERT checkpoints from untrusted sources (anything outside your own model registry). 3. Run any checkpoint conversion in ephemeral, network-isolated containers with no access to production credentials or secrets. 4. Monitor for unexpected subprocess spawning or network connections originating from Python ML processes during model conversion. 5. Subscribe to transformers release notes (GitHub Advisory Database) for patch availability — no fixed version is confirmed yet per CVE data. 6. Apply least-privilege to ML pipeline service accounts so exploitation blast radius is contained. 7. Detection: alert on eval()/exec() calls in transformers processes via runtime security tools (Falco, eBPF-based) if feasible.

What systems are affected by CVE-2025-14928?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, MLOps/model conversion workflows, model serving preparation pipelines, data scientist workstations, automated model ingestion systems.

What is the CVSS score for CVE-2025-14928?

No CVSS score has been assigned yet.

Technical Details

NVD Description

Hugging Face Transformers HuBERT convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint. The specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28253.

Exploitation Scenario

Attacker publishes a crafted HuBERT model to HuggingFace Hub with a poisoned config embedding Python payload (e.g., reverse shell or credential harvester) in a field consumed by convert_config. They promote the model through legitimate-looking channels — a GitHub repo, a paper citation, or a Slack message to an ML team. An ML engineer or automated MLOps job pulls the checkpoint and runs the conversion step. convert_config evaluates the malicious string as Python code, executing the payload with the privileges of the converting process. In a typical MLOps environment this yields access to AWS/GCP credentials in environment variables, internal artifact stores, and training compute — all from a single model download.