CVE-2025-14931 — CRITICAL (CVSS 10.0) AI Security Vulnerability

Q: What is CVE-2025-14931?

Hugging Face smolagents: Unsafe deserialization in Remote Python Executor leads to RCE

Q: Is CVE-2025-14931 actively exploited?

No confirmed active exploitation of CVE-2025-14931 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-14931?

No patch is currently available. Monitor vendor advisories for updates.

Q: What is the CVSS score for CVE-2025-14931?

CVE-2025-14931 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 4.64%.

Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face smolagents. Authentication is not required to exploit this...

Full CISO analysis pending enrichment.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
smolagents	pip	<= 1.23.0	No patch
27.1K 86 dependents Pushed 12d ago 25% patched ~10d to patch Full package profile →

Do you use smolagents? You're affected.

Severity & Risk

CVSS 3.1

10.0 / 10

EPSS

4.6%

chance of exploitation in 30 days

Higher than 89% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

N/A

Attack Surface

AV Network

AC Low

PR None

UI None

S Changed

C High

I High

A High

Recommended Action

No patch available

Monitor for updates. Consider compensating controls or temporary mitigations.

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2025-14931?

Hugging Face smolagents: Unsafe deserialization in Remote Python Executor leads to RCE

Is CVE-2025-14931 actively exploited?

No confirmed active exploitation of CVE-2025-14931 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-14931?

No patch is currently available. Monitor vendor advisories for updates.

What is the CVSS score for CVE-2025-14931?

CVE-2025-14931 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 4.64%.

Technical Details

NVD Description

Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face smolagents. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing of pickle data. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28312.