GHSA-37q5-v5qm-c9v8
Suggest an improvement- Source
- https://github.com/advisories/GHSA-37q5-v5qm-c9v8
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-37q5-v5qm-c9v8/GHSA-37q5-v5qm-c9v8.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-37q5-v5qm-c9v8
- Aliases
- Published
- 2024-04-10T18:30:48Z
- Modified
- 2024-04-10T22:43:58.204319Z
- Severity
-
- 3.4 (Low) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L CVSS Calculator
- Summary
- Transformers Deserialization of Untrusted Data vulnerability
- Details
-
The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the
load_repo_checkpoint()function of theTFPreTrainedModel()class. Attackers can execute arbitrary code and commands by crafting a malicious serialized payload, exploiting the use ofpickle.load()on data from potentially untrusted sources. This vulnerability allows for remote code execution (RCE) by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine. - Database specific
{ "nvd_published_at": "2024-04-10T17:15:58Z", "github_reviewed_at": "2024-04-10T22:20:56Z", "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "severity": "LOW" }- References
Affected packages
PyPI / transformers
Package
- Name
- transformers
- View open source insights on deps.dev
- Purl
- pkg:pypi/transformers
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.38.0
Affected versions
0.*
0.1
2.*
2.0.0
2.1.0
2.1.1
2.2.0
2.2.1
2.2.2
2.3.0
2.4.0
2.4.1
2.5.0
2.5.1
2.6.0
2.7.0
2.8.0
2.9.0
2.9.1
2.10.0
2.11.0
3.*
3.0.0
3.0.1
3.0.2
3.1.0
3.2.0
3.3.0
3.3.1
3.4.0
3.5.0
3.5.1
4.*
4.0.0rc1
4.0.0
4.0.1
4.1.0
4.1.1
4.2.0
4.2.1
4.2.2
4.3.0rc1
4.3.0
4.3.1
4.3.2
4.3.3
4.4.0
4.4.1
4.4.2
4.5.0
4.5.1
4.6.0
4.6.1
4.7.0
4.8.0
4.8.1
4.8.2
4.9.0
4.9.1
4.9.2
4.10.0
4.10.1
4.10.2
4.10.3
4.11.0
4.11.1
4.11.2
4.11.3
4.12.0
4.12.1
4.12.2
4.12.3
4.12.4
4.12.5
4.13.0
4.14.0
4.14.1
4.15.0
4.16.0
4.16.1
4.16.2
4.17.0
4.18.0
4.19.0
4.19.1
4.19.2
4.19.3
4.19.4
4.20.0
4.20.1
4.21.0
4.21.1
4.21.2
4.21.3
4.22.0
4.22.1
4.22.2
4.23.0
4.23.1
4.24.0
4.25.0
4.25.1
4.26.0
4.26.1
4.27.0
4.27.1
4.27.2
4.27.3
4.27.4
4.28.0
4.28.1
4.29.0
4.29.1
4.29.2
4.30.0
4.30.1
4.30.2
4.31.0
4.32.0
4.32.1
4.33.0
4.33.1
4.33.2
4.33.3
4.34.0
4.34.1
4.35.0
4.35.1
4.35.2
4.36.0
4.36.1
4.36.2
4.37.0
4.37.1
4.37.2