CVE-2023-7018

Name of the Vulnerable Software and Affected Versions huggingface/transformers versions prior to 4.36

Description The issue concerns the deserialization of untrusted data, which can compromise model integrity and potentially lead to remote code execution (RCE). This is particularly relevant when using the TransfoXLTokenizer() function, as it can automatically deserialize untrusted data. The vulnerability allows for malicious code injection, potentially through secondary repositories.

Recommendations For versions prior to 4.36, update to version 4.36 or later to resolve the issue. As a temporary workaround, consider disabling the TransfoXLTokenizer() function until a patch is available. Restrict access to untrusted data to minimize the risk of exploitation.