PT-2025-52381 · Hugging Face · Transformers Megatron Gpt2

Izobashi

Published

2025-12-18

Updated

2025-12-24

CVE-2025-14924

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Hugging Face Transformers megatron gpt2 (affected versions not specified)

Description A flaw exists in the parsing of checkpoints within Hugging Face Transformers megatron gpt2, stemming from insufficient validation of user-supplied data. This can lead to the deserialization of untrusted data, potentially allowing an attacker to execute code in the context of the current process. User interaction is required, as the target must visit a malicious page or open a malicious file to trigger the issue.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

RCE

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

CVE-2025-14924

PYSEC-2025-213

ZDI-25-1141

Affected Products

Transformers Megatron Gpt2

PT-2025-52381 · Hugging Face · Transformers Megatron Gpt2

CVE-2025-14924

Weakness Enumeration

Related Identifiers

Affected Products

References · 6