CVE-2025-3777: Transformers URL validation bypass

Q: Is CVE-2025-3777 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-3777, increasing the risk of exploitation.

Q: How to fix CVE-2025-3777?

1. **Patch**: Upgrade transformers to ≥4.52.1 immediately (pip install --upgrade transformers). 2. **Workaround**: Implement allowlist-based URL validation before passing URLs to transformers—use urllib.parse to extract and verify the netloc component, not startswith(). 3. **Detection**: Audit pipeline code for calls to image_utils or any transformers function accepting external image URLs. Search for patterns like load_image(url) with user-supplied input. 4. **Network controls**: Restrict egress from ML training/inference nodes—unexpected outbound connections to non-CDN domains are a signal. 5. **SBOM check**: If running transformers in containers or managed environments, trigger a dependency update cycle.

Q: What systems are affected by CVE-2025-3777?

This vulnerability affects the following AI/ML architecture patterns: multimodal training pipelines, image-based fine-tuning workflows, model serving with image URL inputs, dataset ingestion pipelines, MLOps automation pipelines.

Q: What is the CVSS score for CVE-2025-3777?

CVE-2025-3777 has a CVSS v3.1 base score of 3.5 (LOW). The EPSS exploitation probability is 0.33%.

CISO Take

HuggingFace Transformers (≤4.49.0) has a URL validation flaw in image_utils.py where startswith() checks can be bypassed via URL username injection (e.g., https://attacker.com@youtube.com). Low severity in isolation, but any pipeline that processes untrusted image URLs—fine-tuning jobs, multimodal inference, dataset ingestion—is a potential exfiltration vector. Upgrade to 4.52.1; if upgrade is blocked, validate URLs server-side before passing to the library.

What is the risk?

Risk is LOW-MEDIUM in practice. CVSS 3.5 and EPSS 0.021% reflect the low base severity and minimal active exploitation. However, exposure is broad: Transformers is installed in millions of ML environments, and the affected code path (image URL loading) is common in multimodal workflows. The attack requires an adversary to inject a crafted URL into the pipeline, which narrows the attack surface to systems that process untrusted image inputs. Not in CISA KEV; no known active exploitation.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Transformers	pip	—	No patch
161.8K OpenSSF 6.4 8.3K dependents Pushed 5d ago 40% patched ~92d to patch Full package profile →
Transformers	pip	< 4.52.1	`4.52.1`
161.8K OpenSSF 6.4 8.3K dependents Pushed 5d ago 40% patched ~92d to patch Full package profile →

How severe is it?

CVSS 3.1

3.5 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 25% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR Low

UI Required

S Unchanged

C Low

I None

A None

What should I do?

5 steps

Patch

Upgrade transformers to ≥4.52.1 immediately (pip install --upgrade transformers).
Workaround

Implement allowlist-based URL validation before passing URLs to transformers—use urllib.parse to extract and verify the netloc component, not startswith().
Detection

Audit pipeline code for calls to image_utils or any transformers function accepting external image URLs. Search for patterns like load_image(url) with user-supplied input.
Network controls

Restrict egress from ML training/inference nodes—unexpected outbound connections to non-CDN domains are a signal.
SBOM check

If running transformers in containers or managed environments, trigger a dependency update cycle.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Leakage Social Engineering Framework AML.T0010.001 - AI Software AML.T0011.003 - Malicious Link AML.T0025 - Exfiltration via Cyber Means AML.T0074 - Masquerading

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system technical security

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of AI systems are applied

OWASP LLM Top 10

LLM05 - Improper Output Handling / Insecure Plugin Design

Frequently Asked Questions

What is CVE-2025-3777?

HuggingFace Transformers (≤4.49.0) has a URL validation flaw in image_utils.py where startswith() checks can be bypassed via URL username injection (e.g., https://attacker.com@youtube.com). Low severity in isolation, but any pipeline that processes untrusted image URLs—fine-tuning jobs, multimodal inference, dataset ingestion—is a potential exfiltration vector. Upgrade to 4.52.1; if upgrade is blocked, validate URLs server-side before passing to the library.

Is CVE-2025-3777 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-3777, increasing the risk of exploitation.

How to fix CVE-2025-3777?

1. **Patch**: Upgrade transformers to ≥4.52.1 immediately (pip install --upgrade transformers). 2. **Workaround**: Implement allowlist-based URL validation before passing URLs to transformers—use urllib.parse to extract and verify the netloc component, not startswith(). 3. **Detection**: Audit pipeline code for calls to image_utils or any transformers function accepting external image URLs. Search for patterns like load_image(url) with user-supplied input. 4. **Network controls**: Restrict egress from ML training/inference nodes—unexpected outbound connections to non-CDN domains are a signal. 5. **SBOM check**: If running transformers in containers or managed environments, trigger a dependency update cycle.

What systems are affected by CVE-2025-3777?

This vulnerability affects the following AI/ML architecture patterns: multimodal training pipelines, image-based fine-tuning workflows, model serving with image URL inputs, dataset ingestion pipelines, MLOps automation pipelines.

What is the CVSS score for CVE-2025-3777?

CVE-2025-3777 has a CVSS v3.1 base score of 3.5 (LOW). The EPSS exploitation probability is 0.33%.

What is the AI security impact?

Affected AI Architectures

multimodal training pipelinesimage-based fine-tuning workflowsmodel serving with image URL inputsdataset ingestion pipelinesMLOps automation pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.003 Malicious Link

AML.T0025 Exfiltration via Cyber Means

AML.T0074 Masquerading

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: 8.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image_utils.py` file. The vulnerability arises from insecure URL validation using the `startswith()` method, which can be bypassed through URL username injection. This allows attackers to craft URLs that appear to be from YouTube but resolve to malicious domains, potentially leading to phishing attacks, malware distribution, or data exfiltration. The issue is fixed in version 4.52.1.

Exploitation Scenario

An adversary targeting an organization running a multimodal fine-tuning pipeline (e.g., dataset processing with BLIP or CLIP) submits a poisoned dataset entry containing a crafted image URL: https://huggingface.co@attacker-c2.com/payload.jpg. The pipeline's image_utils.py validates the URL with startswith('https://huggingface.co'), passes the check, and fetches the resource from attacker-c2.com. The request includes environment metadata (cloud instance headers, OAuth tokens in HTTP headers if misconfigured). The attacker's server logs the incoming request and extracts any exfiltrated credentials or internal network routing information. In a CI/CD-integrated training pipeline, this can run unmonitored at scale.

Weaknesses (CWE)

CWE-20 Improper Input Validation Primary CWE-20 Improper Input Validation

CWE-20 — Improper Input Validation: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

[Architecture and Design] Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111]
[Architecture and Design] Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).

Source: MITRE CWE corpus.