Huggingface

30 AI/ML vulnerabilities tracked for Huggingface.

Total CVEs

Pages

Page 1 of 2

Current

Severity	CVE	Headline	Package	CVSS
MEDIUM	CVE-2025-5197	Transformers: ReDoS in TF-to-PyTorch weight converter	transformers	5.3
HIGH	CVE-2025-6921	Transformers: ReDoS in optimizer halts training pipelines	transformers	7.5
MEDIUM	CVE-2023-2800	Transformers: temp file race condition allows local DoS	transformers	4.7
HIGH	CVE-2023-6730	HuggingFace Transformers: RCE via unsafe deserialization	transformers	8.8
HIGH	CVE-2023-7018	Transformers: unsafe deserialization enables RCE on load	transformers	7.8
CRITICAL	CVE-2024-3568	HuggingFace Transformers: RCE via pickle deserialization	transformers	9.6
HIGH	CVE-2024-12720	Transformers: ReDoS in Nougat tokenizer causes DoS	transformers	7.5
MEDIUM	CVE-2025-1194	transformers: ReDoS in GPT-NeoX Japanese tokenizer	transformers	6.5
HIGH	CVE-2025-2099	transformers: ReDoS in testing_utils causes DoS	transformers	7.5
HIGH	CVE-2025-3262	Transformers: ReDoS in chat.py causes CPU exhaustion	transformers	7.5
CRITICAL	CVE-2025-5120	smolagents: sandbox escape enables unauthenticated RCE	smolagents	10.0
CRITICAL	CVE-2026-2654	smolagents: SSRF allows internal network access	smolagents	9.8
HIGH	CVE-2024-11392	HuggingFace Transformers: RCE via config deserialization	transformers	8.8
HIGH	CVE-2024-11393	Transformers: RCE via MaskFormer model deserialization	transformers	8.8
HIGH	CVE-2024-11394	Transformers: RCE via Trax model deserialization	transformers	8.8
MEDIUM	CVE-2025-3263	Transformers: ReDoS in config loader causes serving DoS	transformers	5.3
MEDIUM	CVE-2025-3264	Transformers: ReDoS in dynamic module loader causes DoS	transformers	5.3
LOW	CVE-2025-3777	Transformers: URL validation bypass exposes image pipeline	transformers	3.5
MEDIUM	CVE-2025-3933	Transformers: ReDoS in DonutProcessor causes DoS	transformers	5.3
HIGH	CVE-2025-6638	HuggingFace Transformers: ReDoS in MarianTokenizer	transformers	7.5

Page 1 of 2

Huggingface

Weekly CISO Take + top threats