repository icon
huggingface / transformers Project repository

🤗 Transformers: State-of-the-art Machine Learning for Pytorch, TensorFlow, and JAX.

Submit a report

FIRST INTERACTION

WITHIN5 DAYS

REVIEW

WITHIN78 DAYS

FIX

WITHIN69 DAYS

WaitCanDeadlock
amanhasan01
informative
Critical
Malicious model deployed in HF repo to reversed RCE and worm infection by RealmR...
azraelxuemo
duplicate
High
ZDI-CAN-25424: Hugging Face Transformers Transformer-XL Model Deserialization of...
zdi-disclosures
informative
High
ZDI-CAN-25423: Hugging Face Transformers Perceiver Model Deserialization of Untr...
zdi-disclosures
duplicate
High
ZDI-CAN-25012: New Vulnerability Report
zdi-disclosures
informative
High
ZDI-CAN-25191: Hugging Face Transformers MaskFormer Model Deserialization of Unt...
zdi-disclosures
informative
High
Improper sanitization of Branch Name Leads to Arbitrary Code Injection
arunstar
informative
High
ZDI-CAN-24322: Hugging Face Transformers MobileViTV2 Deserialization of Untruste...
zdi-disclosures
informative
High
RCE when loading HuggingFace Hub tool from a collection using the ToolCollection
wangxuefei0912
duplicate
High
Access tokens exposure in git repo
giantathos
informative
None
Remote Code Execution through Deserilization of Untrusted data in convert_maskfo...
piyush-bhor
informative
High
Code execution with CodeAgent
0gur1
informative
High
Insecure Temporary File
h2oa
informative
Medium
OS command injection
tuna18dv
informative
Critical
RCE when loading HuggingFace Hub 'tools' in 'src/transformers/tools/base.py' ->...
retr0reg
Medium
$125
test
lengochoa7112000
self closed
Transformers has a Deserialization of Untrusted Data vulnerability
retr0reg
Low
$20CVE-2024-3568
ReDos in tokenization_gptsan_japanese.py#L466
lujiefsi
spam
Malicious model deployed in HF repo to reversed RCE and worm infection by RagRet...
zpbrent
Critical
$1500CVE-2023-6730
An unverified deserialized data stream of function trust was found in transform...
carnival-z
informative
Critical
Time of check time of use (toctou) Race Condition
hiu240900
not applicable
Arbitrary Code Execution via YAML Deserialisation
b3ef
informative
Medium
Remote Code Execution (RCE)
ready-research
self closed
Stored XSS reflected on model endpoint
immortalengine1
informative
Critical
Re: “Per-reference”: Enter: Brute-Level Bot
xavier6
spam
Malicious model to RCE by vocab file load in TransfoXLTokenizer (as well as the...
zpbrent
Critical
$1500CVE-2023-7018
Deserialisation of Untrusted data Leading to Arbitrary Code Execution
b3ef
not applicable
Unsafe `yaml.load` is used in `convert_mlcvnets_to_pytorch` and `convert_marian_...
lyutoon
informative
High
Unsafe deserialize
nhienit2010
self closed
RATE CONDITION LEAD TO DOS
novemberdad
not applicable
CORS - In COmments reaction..
panveanyy
spam
CVE-2021-30473 - Detected
saintsconnor
informative
Critical
Buffer Overflow - aom/libaom0@1.0.0.errata1-3
saintsconnor
informative
Critical
Vulnearble to path travelsal
0xparth
informative
Critical
Amazon AWS S3 Bucket Misconfigurations (Upload, Dowload, List out any file to S3...
harshbanshpal
informative
Critical
EXIF Geolocation Data Not Stripped From Uploaded Profile Images in https://huggi...
harshbanshpal
informative
Medium
Inefficient Regular Expression Complexity(ReDoS)
ready-research
informative
High
Insecure Temporary File
ready-research
Medium
$980CVE-2023-2800
Command Injection in utils/check_self_hosted_runner.py
danmcinerney
informative
Low
Lack of Character Limit in Full Name Sections Leads to Denial of Service in
7h3h4ckv157
not applicable
Inefficient Regular Expression Complexity
dwisiswant0
informative
Medium