CVE-2025-3777

Name of the Vulnerable Software and Affected Versions: Hugging Face Transformers versions prior to 4.52.1

Description: Hugging Face Transformers is affected by an improper input validation vulnerability in the image utils.py file. The vulnerability stems from insecure URL validation using the startswith() method, which can be bypassed through URL username injection. This allows attackers to craft URLs that appear to be from YouTube but resolve to malicious domains, potentially leading to phishing attacks, malware distribution, or data exfiltration.

Recommendations: Update to Hugging Face Transformers version 4.52.1 or later.