Back

Critical RCE Vulnerability in Hugging Face Transformers Library Disclosed

Severity: High (Score: 72.0)

Sources: Csoonline, Letsdatascience

Published: 2026-06-04 · Updated: 2026-06-04

Keywords: hugging, face, transformers, code, vulnerability, library, critical

Severity indicators: critical, vulnerability, remote code execution, ot

Summary

A critical remote code execution (RCE) vulnerability has been identified in the Hugging Face Transformers library, tracked as CVE-2026-4372. This flaw allows attackers to execute arbitrary code during model loading by bypassing the trust_remote_code=False safeguard. The vulnerability affects all versions from 4.56.0 to 5.2.x and was downloaded approximately 232 million times during its active period. Hugging Face released a patch for the vulnerability in version 5.3.0 on May 24, 2026. Security researchers from Pluto Security discovered the flaw, which can lead to the exposure of sensitive data such as cloud credentials and API keys. The exploit involves a parameter that appears innocuous but can execute malicious code without user consent. The vulnerability poses a significant risk to enterprise environments and automated AI pipelines. Key Points: • CVE-2026-4372 allows RCE via Hugging Face Transformers library configurations. • The vulnerability affects versions from 4.56.0 to 5.2.x, with 232 million downloads during its active phase. • A patch was released on May 24, 2026, but many vulnerable versions remain in use.

Detailed Analysis

**Impact** The vulnerability affects all Hugging Face Transformers library versions from 4.56.0 through 5.2.x, with over 232 million downloads during the six months it was active and ongoing weekly downloads of 7 to 8 million vulnerable installs. It impacts enterprises, AI platforms, GPU-accelerated environments, and CI/CD pipelines globally that use the library to load or fine-tune AI models. Potential data exposure includes cloud credentials, API keys, SSH keys, Kubernetes configurations, databases, source code, and datasets, posing significant operational and data security risks. **Technical Details** The attack vector involves loading a maliciously crafted AI model configuration file containing a stealthy parameter (_attn_implementation_internal) that bypasses the trust_remote_code=False safeguard during the from_pretrained() call. This enables remote code execution (RCE) via unsafe deserialization of untrusted model config data, exploiting a design flaw in the setattr function. The vulnerability is tracked as CVE-2026-4372 (also referenced as CVE-2025-14930) and requires the optional kernels package to be installed for exploitation. The kill chain stage is initial access and execution during routine model loading without user prompts or warnings. **Recommended Response** Upgrade all Hugging Face Transformers library installations to version 5.3.0 or later, which contains the patch. Verify the presence of the kernels package on local and enterprise systems and restrict its installation where unnecessary. Monitor model loading activities for anomalous config parameters and implement strict validation of remote model sources. Maintain vigilance on vendor advisories and package repositories for further updates or mitigations.

Source articles (2)

  • Hugging Face Transformers RCE flaw enables stealthy compromise via AI model configs — Csoonline · 2026-06-04
    A high severity vulnerability in Hugging Face Transformers enables attackers to compromise systems that use the popular Python library to test and run AI models. The flaw impacts library versions that…
  • Hugging Face Transformers contains critical remote code execution vulnerability — Letsdatascience · 2026-06-04
    SiliconANGLE reports a critical remote code execution vulnerability in Hugging Face 's Transformers library that allowed attacker-controlled models to run arbitrary code during a routine model load. P…

Timeline

  • 2025-12-23 — CVE-2025-14930 published: CVE-2025-14930 was published, tracking a critical RCE vulnerability in Hugging Face Transformers.
  • 2026-05-24 — Patch for CVE-2026-4372 released: Hugging Face released a patch for the critical RCE vulnerability in version 5.3.0.
  • Recent — Vulnerability discovered by Pluto Security: Pluto Security reported a critical RCE vulnerability in Hugging Face Transformers, affecting millions of downloads.

CVEs

  • CVE-2025-14930
  • CVE-2026-4372

Related entities

  • Malware (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Cisco (Company)
  • HiddenLayer (Company)
  • Pluto Security (Company)
  • Hugging Face (Tool)
  • Python (Tool)
  • Model Provenance Kit (Tool)
  • Cwe-502 - Deserialization Of Untrusted Data (Cwe)
  • T1059.006 - Python (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • Hugging Face Hub (Platform)
  • Hugging Face Transformers Library (Platform)
  • Windows (Platform)
  • Deserialization Of Untrusted Data (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed