CVE-2025-3777 — LOW (CVSS 3.5) AI Security Vulnerability

Q: Is CVE-2025-3777 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-3777, increasing the risk of exploitation.

Q: How to fix CVE-2025-3777?

1. **Patch**: Upgrade transformers to ≥4.52.1 immediately (pip install --upgrade transformers). 2. **Workaround**: Implement allowlist-based URL validation before passing URLs to transformers—use urllib.parse to extract and verify the netloc component, not startswith(). 3. **Detection**: Audit pipeline code for calls to image_utils or any transformers function accepting external image URLs. Search for patterns like load_image(url) with user-supplied input. 4. **Network controls**: Restrict egress from ML training/inference nodes—unexpected outbound connections to non-CDN domains are a signal. 5. **SBOM check**: If running transformers in containers or managed environments, trigger a dependency update cycle.

Q: What systems are affected by CVE-2025-3777?

This vulnerability affects the following AI/ML architecture patterns: multimodal training pipelines, image-based fine-tuning workflows, model serving with image URL inputs, dataset ingestion pipelines, MLOps automation pipelines.

Q: What is the CVSS score for CVE-2025-3777?

CVE-2025-3777 has a CVSS v3.1 base score of 3.5 (LOW). The EPSS exploitation probability is 0.06%.

CISO Take

HuggingFace Transformers (≤4.49.0) has a URL validation flaw in image_utils.py where startswith() checks can be bypassed via URL username injection (e.g., https://attacker.com@youtube.com). Low severity in isolation, but any pipeline that processes untrusted image URLs—fine-tuning jobs, multimodal inference, dataset ingestion—is a potential exfiltration vector. Upgrade to 4.52.1; if upgrade is blocked, validate URLs server-side before passing to the library.

Risk Assessment

Risk is LOW-MEDIUM in practice. CVSS 3.5 and EPSS 0.021% reflect the low base severity and minimal active exploitation. However, exposure is broad: Transformers is installed in millions of ML environments, and the affected code path (image URL loading) is common in multimodal workflows. The attack requires an adversary to inject a crafted URL into the pipeline, which narrows the attack surface to systems that process untrusted image inputs. Not in CISA KEV; no known active exploitation.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
transformers	pip	—	No patch
160.4K OpenSSF 4.9 7.9K dependents Pushed yesterday 39% patched ~101d to patch Full package profile →
transformers	pip	< 4.52.1	`4.52.1`
160.4K OpenSSF 4.9 7.9K dependents Pushed yesterday 39% patched ~101d to patch Full package profile →

Severity & Risk

CVSS 3.1

3.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 17% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI Required

S Unchanged

C Low

I None

A None

Recommended Action

5 steps

Patch

Upgrade transformers to ≥4.52.1 immediately (pip install --upgrade transformers).
Workaround

Implement allowlist-based URL validation before passing URLs to transformers—use urllib.parse to extract and verify the netloc component, not startswith().
Detection

Audit pipeline code for calls to image_utils or any transformers function accepting external image URLs. Search for patterns like load_image(url) with user-supplied input.
Network controls

Restrict egress from ML training/inference nodes—unexpected outbound connections to non-CDN domains are a signal.
SBOM check

If running transformers in containers or managed environments, trigger a dependency update cycle.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Leakage Social Engineering Framework AML.T0010.001 - AI Software AML.T0011.003 - Malicious Link AML.T0025 - Exfiltration via Cyber Means AML.T0074 - Masquerading

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system technical security

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of AI systems are applied

OWASP LLM Top 10

LLM05 - Improper Output Handling / Insecure Plugin Design

Frequently Asked Questions

What is CVE-2025-3777?

HuggingFace Transformers (≤4.49.0) has a URL validation flaw in image_utils.py where startswith() checks can be bypassed via URL username injection (e.g., https://attacker.com@youtube.com). Low severity in isolation, but any pipeline that processes untrusted image URLs—fine-tuning jobs, multimodal inference, dataset ingestion—is a potential exfiltration vector. Upgrade to 4.52.1; if upgrade is blocked, validate URLs server-side before passing to the library.

Is CVE-2025-3777 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-3777, increasing the risk of exploitation.

How to fix CVE-2025-3777?

1. **Patch**: Upgrade transformers to ≥4.52.1 immediately (pip install --upgrade transformers). 2. **Workaround**: Implement allowlist-based URL validation before passing URLs to transformers—use urllib.parse to extract and verify the netloc component, not startswith(). 3. **Detection**: Audit pipeline code for calls to image_utils or any transformers function accepting external image URLs. Search for patterns like load_image(url) with user-supplied input. 4. **Network controls**: Restrict egress from ML training/inference nodes—unexpected outbound connections to non-CDN domains are a signal. 5. **SBOM check**: If running transformers in containers or managed environments, trigger a dependency update cycle.

What systems are affected by CVE-2025-3777?

This vulnerability affects the following AI/ML architecture patterns: multimodal training pipelines, image-based fine-tuning workflows, model serving with image URL inputs, dataset ingestion pipelines, MLOps automation pipelines.

What is the CVSS score for CVE-2025-3777?

CVE-2025-3777 has a CVSS v3.1 base score of 3.5 (LOW). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image_utils.py` file. The vulnerability arises from insecure URL validation using the `startswith()` method, which can be bypassed through URL username injection. This allows attackers to craft URLs that appear to be from YouTube but resolve to malicious domains, potentially leading to phishing attacks, malware distribution, or data exfiltration. The issue is fixed in version 4.52.1.

Exploitation Scenario

An adversary targeting an organization running a multimodal fine-tuning pipeline (e.g., dataset processing with BLIP or CLIP) submits a poisoned dataset entry containing a crafted image URL: https://huggingface.co@attacker-c2.com/payload.jpg. The pipeline's image_utils.py validates the URL with startswith('https://huggingface.co'), passes the check, and fetches the resource from attacker-c2.com. The request includes environment metadata (cloud instance headers, OAuth tokens in HTTP headers if misconfigured). The attacker's server logs the incoming request and extracts any exfiltrated credentials or internal network routing information. In a CI/CD-integrated training pipeline, this can run unmonitored at scale.