CVE-2025-14927

Name of the Vulnerable Software and Affected Versions Hugging Face Transformers (affected versions not specified)

Description A flaw exists in the convert config function that allows remote attackers to execute arbitrary code on affected systems. Exploitation requires user interaction, specifically the conversion of a malicious checkpoint. The issue stems from insufficient validation of user-supplied strings before they are used to execute Python code. An attacker can exploit this to execute code with the privileges of the current user.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.