Cyrilvallez

**Name of the Vulnerable Software and Affected Versions** HuggingFace transformers versions prior to 5.3.0 **Description** A critical remote code execution issue exists where an attacker can craft a malicious `config.json` file. By setting the ` attn implementation internal` field to an attacker-controlled HuggingFace Hub repository ID, arbitrary Python code is downloaded and executed with full OS privileges when a victim loads the model via the `AutoModelForCausalLM.from pretrained()` API. This occurs due to unfiltered deserialization of configuration attributes, insufficient sanitization of internal fields, and unsandboxed execution of downloaded kernels. The flaw bypasses the `trust remote code` security mechanism and is invisible to the user. Affected versions were downloaded over 232 million times while the issue was live, potentially exposing cloud credentials, API keys, source code, and proprietary datasets. **Recommendations** Upgrade to version 5.3.0 or later. Audit previously downloaded model configurations.