repository icon
huggingface / transformers Project repository

šŸ¤— Transformers: State-of-the-art Machine Learning for Pytorch, TensorFlow, and JAX.

Submit a report

FIRST INTERACTION

WITHIN15 DAYS

REVIEW

WITHIN15 DAYS

FIX

WITHINN/A DAYS

ProcessorMixin confused-deputy RCE
eunhokim98
self closed
Arbitrary File Write via Path Traversal in Multi Chat Template Names
usernamebiasa
duplicate
Medium
Path Traversal in Sharded Checkpoint Loading via Malicious weight_map Index
wulonchia-pro
self closed
transformers serve: POST /load_model + /reset bypass --force-model pin enforceme...
nahldi
self closed
SSRF in image_utils.py load_image allows access to internal network and local fi...
galanzi2580-wq
informative
None
Malicious AI model templates can freeze servers with exponentially expanding loo...
quintessence-proof
informative
High
SSRF in image, audio, and video URL loading: httpx.get with no URL validation an...
hoangperry
informative
Medium
User-controlled data passed to a template rendering function. An attacker can in...
muraveyapp
informative
Critical
User-controlled data passed to a template rendering function. An attacker can in...
muraveyapp
informative
Critical
User-controlled data passed to a template rendering function. An attacker can in...
muraveyapp
informative
Critical
Unbounded max_new_tokens in Generation Configuration Leads to Denial of Service
galanzi2580-wq
informative
None
cors_misconfiguration in src/transformers/cli/serving/server.py:80
muraveyapp
informative
High
User-controlled data passed to a template rendering function. An attacker can in...
muraveyapp
informative
Critical
User-controlled data passed to a template rendering function. An attacker can in...
muraveyapp
informative
Critical
User-controlled data passed to a template rendering function. An attacker can in...
muraveyapp
informative
Critical
User-controlled data passed to a template rendering function. An attacker can in...
muraveyapp
informative
Critical
User-controlled data passed to a template rendering function. An attacker can in...
muraveyapp
informative
Critical
User-controlled data passed to a template rendering function. An attacker can in...
muraveyapp
informative
Critical
Denial of Service in Transformers via unvalidated num_attention_heads configurat...
louisrodriguez1990-crypto
informative
Medium
SSRF in transformers load_image / load_image_as_tensor (and audio_utils) via unr...
boke-kun
informative
Medium
ReDoS via attacker-controlled response_schema in chat response parsing (recursiv...
pablofd
informative
Medium
SSRF via httpx.get(follow_redirects=True) in audio and image pipeline loaders
thesecguy45
informative
Medium
ReDoS via attacker-controlled quantization module-skip patterns in huggingface/t...
pablofd
informative
Medium
Insecure Pickle Deserialization in Trax Model Loading Allows Remote Code Executi...
pratikbarahatte87
duplicate
Critical
Unbounded chat_template rendering causes CPU and memory exhaustion in apply_chat...
arunacademy13-lang
informative
Medium
Tar slip in parakeet and nemotron .nemo conversion utilities
ghost
self closed
Arbitrary file write via path traversal in chat_template names during save_pretr...
arunacademy13-lang
duplicate
High
Hugging Face Transformers Nougat tokenizer vulnerable to polynomial O(nĀ³) ReDoS...
linziyuu
informative
Medium
Hugging Face Transformers `Gemma3Processor` missing `re.escape` enables ReDoS v...
linziyuu
informative
High
Hugging Face Transformers vulnerable to ReDoS via attacker-controlled `modules_...
linziyuu
informative
High
Hugging Face Transformers vulnerable to ReDoS via attacker-controlled `response_...
linziyuu
informative
High
Polynomial ReDoS in PPFormulaNetProcessor.remove_chinese_text_wrapping ā€” single...
linziyuu
informative
Medium
save_pretrained writes chat template files outside save_directory via unsanitize...
daupaul
duplicate
Medium
Missing GGUF tokenizer merges cause CPU amplification during tokenizer loading i...
76embiid21
self closed
ReDoS via attacker-controlled regex in response_schema loaded from tokenizer_con...
kakarotsec
informative
Medium
ReDoS via Repository-Controlled Tokenizer `response_schema` Regexes
khanhdlq
informative
Medium
Server-Side Request Forgery (SSRF) in Image and Audio URL Loading Enables Cloud...
pearltechie
informative
High
SSRF via Unvalidated URLs in transformers-cli serve Inference Endpoints (image_u...
jd-admrl-ai
self closed
Defense-in-Depth: load_gguf_checkpoint lacks internal shape validation, relying...
awesome075
informative
Medium
Conversion-time torch.load in convert_csm.py and convert_janus_weights_to_hf.py...
mirr2
informative
High
Incomplete Path Traversal Validation in `_local_folder.py` ā€” `..` Check Only Enf...
penguinmiaou
informative
Critical
O(nĀ²) CPU DoS in GGUFTokenizerSkeleton via missing merges array ā€” quadratic list...
white-hat-lab
informative
Medium
Unvalidated Image Dimensions in preprocessor_config.json Cause Memory Exhaustion...
white-hat-lab
informative
Medium
Unsafe torch.load() Without weights_only=True in 27 Converter Scripts ā€” Arbitrar...
willardjansen
informative
High
Out-of-Bounds Token ID Causes IndexError Crash in GGUF Tokenizer Conversion (ggm...
white-hat-lab
informative
Medium
Unbounded image count in Gemma4Processor.__call__() causes inference server memo...
sn1r
informative
High
RCE via torch.load without weights_only in .ckpt conversion utilities ā€” bypasses...
snakeyworm
duplicate
High
Arbitrary local file read via attacker-controlled `path` field in Image / Audio...
snakeyworm
informative
None
Arbitrary local file read and SSRF via `file://`/`http://`/`ftp://` protocol smu...
snakeyworm
informative
None
Unauthenticated RCE via arbitrary model loading in serving API ā€” trust_remote_co...
snakeyworm
duplicate
Critical
SSRF via unvalidated image/video/audio URL fetching in transformers serving API...
snakeyworm
duplicate
High
Remote Code Execution (RCE) via Insecure torch.load in multiple model conversion...
mr-jeneral
duplicate
High
Arbitrary File Overwrite (ZipSlip / TarSlip) via Path Traversal in Model Convers...
finddabugs
duplicate
High
Unauthenticated RCE via POST /load_model when trust-remote-code is enabled (tran...
fg0x0
duplicate
Critical
Unauthenticated SSRF via image_url in POST /v1/chat/completions ( transformers s...
fg0x0
duplicate
High
SSRF via Unvalidated URL Fetching in Media Loading Utilities (image/audio/video)
lexi-core-ai
informative
None
Unauthenticated RCE via arbitrary model loading in serving API ā€” trust_remote_co...
wormysnake
duplicate
Critical
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N = 8.6 High
wormysnake
duplicate
High
YAML Deserialization in transformers/mobilevitv2/convert_mlcvnets_to_pytorch via...
radikhoroshev
informative
None
Test: RCE in parakeet YAML FullLoader
radikhoroshev
self closed
SSRF via load_image/load_audio/load_video ā€” no internal IP filtering on user-sup...
elliottower
informative
Critical
DoS via Unbounded Key Size in `token2json()` ā€” DonutProcessor
dsonbaker
informative
Medium
SSRF via unvalidated image URL in transformers serve CLI (/v1/chat/completions)
minicoai
self closed
SSRF via follow_redirects in load_image() reachable from transformers-cli serve
dolevmiz1
duplicate
Critical
Jailbreak and Automated OS-Level Exploit Generation in Qwen3-8B via Persona-Indu...
s05161497-sudo
informative
Critical
TOCTOU in Remote Code Loading
zafido
informative
High
Server-Side Template Injection via Untrusted chat_template in apply_chat_templat...
rohanmulay1
informative
Critical
Arbitrary Code Execution via Unsafe torch.load() in Multiple Conversion Scripts
0xbassia
informative
High
Arbitrary Code Execution via torch.load(weights_only=False) in Conversion Script...
seory0
informative
High
Critical Scanner Bypass in PickleScan via Unblocked importlib, vars, and operato...
starrohan-dotcom
informative
Critical
SSRF via Unvalidated Image URL in transformers serve Chat Completion Endpoint
nhomyk
duplicate
High
CUDA Out-of-Bounds Memory Access in Flash Attention via Qwen3.5 3D position_ids...
ouroborosscr
informative
Medium