Vasqua

Name of the Vulnerable Software and Affected Versions HuggingFace Transformers versions prior to 5.0.0rc3 Description A flaw exists in the `Trainer` class within the HuggingFace Transformers library. The ` load rng state()` method, located in `src/transformers/trainer.py` at line 3059, utilizes `torch.load()` without the `weights only=True` parameter. This creates a risk of arbitrary code execution when using PyTorch versions below 2.6 and Transformers versions supporting `torch>=2.2`. An attacker can exploit this by providing a malicious checkpoint file, such as `rng state.pth`, which can execute arbitrary code upon loading. Recommendations Update to version 5.0.0rc3 or later.