CVE-2025-14926

Name of the Vulnerable Software and Affected Versions Hugging Face Transformers (affected versions not specified)

Description A flaw exists within the convert config function in Hugging Face Transformers that allows remote attackers to execute arbitrary code on affected installations. Exploitation requires user interaction, specifically the conversion of a malicious checkpoint. The issue stems from insufficient validation of user-supplied strings before they are used to execute Python code, potentially allowing an attacker to execute code in the context of the current user.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.