CVE-2025-14928: Transformers Code Injection

CISO Take

CVE-2025-14928 is a code injection RCE in Hugging Face Transformers' HuBERT convert_config function — a malicious model checkpoint triggers arbitrary Python execution on the converting machine. If your ML teams pull and convert external HuBERT checkpoints, treat this as a critical supply chain risk: isolate conversion workflows immediately and block untrusted checkpoint sources until a patch is confirmed. This is the exact attack pattern attackers use to own ML infrastructure via 'innocent' model downloads.

What is the risk?

High risk for any organization with active HuBERT model conversion workflows. While CVSS is pending and user interaction is required (the engineer must run the conversion), the attacker controls the exploit trigger by simply publishing a malicious checkpoint to HuggingFace Hub or delivering it via other channels. The attack surface is broad — ML engineers routinely download and convert public checkpoints without security review. RCE lands in the context of the data scientist or MLOps pipeline runner, which often has broad access to training infrastructure, cloud credentials, and internal data.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Transformers	pip	—	No patch
161.8K OpenSSF 6.4 8.3K dependents Pushed 6d ago 40% patched ~92d to patch Full package profile →

Do you use Transformers? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

0.3%

chance of exploitation in 30 days

Higher than 19% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

7 steps

IMMEDIATE

Audit all pipelines using transformers' HuBERT convert_config — inventory where external checkpoints are consumed.
Block or quarantine conversion of HuBERT checkpoints from untrusted sources (anything outside your own model registry).
Run any checkpoint conversion in ephemeral, network-isolated containers with no access to production credentials or secrets.
Monitor for unexpected subprocess spawning or network connections originating from Python ML processes during model conversion.
Subscribe to transformers release notes (GitHub Advisory Database) for patch availability — no fixed version is confirmed yet per CVE data.
Apply least-privilege to ML pipeline service accounts so exploitation blast radius is contained.
Detection: alert on eval()/exec() calls in transformers processes via runtime security tools (Falco, eBPF-based) if feasible.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Code Execution Framework Model AML.T0010.003 - Model AML.T0011 - User Execution AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0050 - Command and Scripting Interpreter AML.T0058 - Publish Poisoned Models

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 17 - Quality Management System — Third Party Components Article 9 - Risk Management System

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system operation and monitoring A.6.1.6 - AI system supply chain management A.9.4 - AI system security

NIST AI RMF

GOVERN 1.6 - Policies and procedures for AI risk and supply chain MANAGE 2.2 - Mechanisms to sustain the value of deployed AI MAP 2.1 - Scientific findings and AI supply chain risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-14928?

CVE-2025-14928 is a code injection RCE in Hugging Face Transformers' HuBERT convert_config function — a malicious model checkpoint triggers arbitrary Python execution on the converting machine. If your ML teams pull and convert external HuBERT checkpoints, treat this as a critical supply chain risk: isolate conversion workflows immediately and block untrusted checkpoint sources until a patch is confirmed. This is the exact attack pattern attackers use to own ML infrastructure via 'innocent' model downloads.

Is CVE-2025-14928 actively exploited?

No confirmed active exploitation of CVE-2025-14928 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-14928?

1. IMMEDIATE: Audit all pipelines using transformers' HuBERT convert_config — inventory where external checkpoints are consumed. 2. Block or quarantine conversion of HuBERT checkpoints from untrusted sources (anything outside your own model registry). 3. Run any checkpoint conversion in ephemeral, network-isolated containers with no access to production credentials or secrets. 4. Monitor for unexpected subprocess spawning or network connections originating from Python ML processes during model conversion. 5. Subscribe to transformers release notes (GitHub Advisory Database) for patch availability — no fixed version is confirmed yet per CVE data. 6. Apply least-privilege to ML pipeline service accounts so exploitation blast radius is contained. 7. Detection: alert on eval()/exec() calls in transformers processes via runtime security tools (Falco, eBPF-based) if feasible.

What systems are affected by CVE-2025-14928?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, MLOps/model conversion workflows, model serving preparation pipelines, data scientist workstations, automated model ingestion systems.

What is the CVSS score for CVE-2025-14928?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

training pipelinesMLOps/model conversion workflowsmodel serving preparation pipelinesdata scientist workstationsautomated model ingestion systems

MITRE ATLAS Techniques

AML.T0010.003 Model

AML.T0011 User Execution

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0050 Command and Scripting Interpreter

AML.T0058 Publish Poisoned Models

Compliance Controls Affected

EU AI Act: Article 15, Article 17, Article 9

ISO 42001: 6.1.2, 8.4, A.6.1.6, A.9.4

NIST AI RMF: GOVERN 1.6, MANAGE 2.2, MAP 2.1

OWASP LLM Top 10: LLM03:2025, LLM05

What are the technical details?

Original Advisory

Hugging Face Transformers HuBERT convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint. The specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28253.

Exploitation Scenario

Attacker publishes a crafted HuBERT model to HuggingFace Hub with a poisoned config embedding Python payload (e.g., reverse shell or credential harvester) in a field consumed by convert_config. They promote the model through legitimate-looking channels — a GitHub repo, a paper citation, or a Slack message to an ML team. An ML engineer or automated MLOps job pulls the checkpoint and runs the conversion step. convert_config evaluates the malicious string as Python code, executing the payload with the privileges of the converting process. In a typical MLOps environment this yields access to AWS/GCP credentials in environment variables, internal artifact stores, and training compute — all from a single model download.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

[Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
[Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.