ZDI-25-1148: (0Day) Hugging Face Transformers SEW-D convert_config Code Injection Remote Code Execution Vulnerability

Key Points:

• Vulnerability: A remote code execution vulnerability (ZDI-25-1148) exists in Hugging Face Transformers due to improper handling of the SEW-D convert_config function.
• Impact Assessment: Attackers can execute arbitrary code on affected installations, but user interaction is required to exploit it by converting a malicious checkpoint. The CVSS rating is 7, indicating a high severity level.
• Recommended Actions: Users should avoid converting untrusted checkpoints and apply any available patches or updates from Hugging Face to mitigate this vulnerability.

Technical Details: The vulnerability allows for arbitrary code execution when a user interacts with the SEW-D convert_config function, specifically by converting malicious checkpoints.

MITRE ATT&CK Techniques: None mentioned

IOCs Mentioned: None mentioned