Ydshieh

**Name of the Vulnerable Software and Affected Versions** huggingface/transformers versions prior to 4.36 **Description** The issue concerns the deserialization of untrusted data, which can compromise model integrity and potentially lead to remote code execution (RCE). This is particularly relevant when using the `TransfoXLTokenizer()` function, as it can automatically deserialize untrusted data. The vulnerability allows for malicious code injection, potentially through secondary repositories. **Recommendations** For versions prior to 4.36, update to version 4.36 or later to resolve the issue. As a temporary workaround, consider disabling the `TransfoXLTokenizer()` function until a patch is available. Restrict access to untrusted data to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** huggingface/transformers versions prior to 4.36.0 **Description** The issue is related to the deserialization of untrusted data in the huggingface/transformers GitHub repository. **Recommendations** For versions prior to 4.36.0, update to version 4.36.0 or later to resolve the issue.