Hugging Face Transformers contains critical remote code execution vulnerability

SiliconANGLE reports a critical remote code execution vulnerability in Hugging Face's Transformers library that allowed attacker-controlled models to execute arbitrary code on a victim system during a standard model load. Per SiliconANGLE, the flaw bypassed the trust_remote_code=False safeguard and was triggered by calling from_pretrained() on a crafted model. The problem is cataloged as CVE-2025-14930 in the NVD entry. SiliconANGLE attributes discovery and analysis to Pluto Security and reports the bug first appeared in Transformers 4.56.0 and persisted through 5.2.x; third-party trackers and the NVD mark affected versions prior to 5.3.0. Pluto estimated roughly 232 million downloads of the vulnerable releases during the six months the flaw was active, according to SiliconANGLE.

Editorial analysis - technical context: Public reporting describes the root cause as unsafe deserialization/parsing of model configuration or weight metadata that allowed execution of attacker-supplied payloads during model object reconstruction. The NVD entry lists the weakness under "Deserialization of Untrusted Data" and notes exploitation can result in execution in the context of the current process (CVE-2025-14930). SiliconANGLE emphasizes that, unlike earlier attacks that required manual script execution, this vulnerability could run silently during an otherwise routine from_pretrained() call even when trust_remote_code was disabled.

Editorial analysis: Reported implications focus on environments most likely to load third-party models automatically: enterprise AI platforms, automated model-evaluation pipelines, and GPU-enabled environments. SiliconANGLE lists potential exfiltration targets including cloud credentials, API keys, SSH keys, Kubernetes configs, databases, source code, and datasets. NVD flags that exploitation requires some user interaction in typical advisory language (for example, visiting a malicious page or opening a malicious file), creating apparent differences in how sources describe attack prerequisites; both descriptions should be considered when assessing risk exposure.

Transformers is one of the most widely used ML libraries, with reporting that it has more than 2.2 billion lifetime downloads and over 146 million downloads per month, and that the Hugging Face Hub hosts over 1 million models. Given that scale, a deserialization RCE in a commonly invoked load path raised broad concern across open-source consumers and enterprises. SiliconANGLE quotes Yotam Perkal of Pluto Security: "Organizations have spent years building policies around the idea that keeping trust_remote_code disabled makes model loading safe," framing why this bug attracted attention.

For practitioners: Monitor vendor advisories and upgrade paths documented by Hugging Face and package trackers; validate which local installs had the kernels package and vulnerable Transformer versions. Observers should also reconcile exploit prerequisites described by different advisories (silent model-load execution versus requiring user interaction) when prioritizing mitigation steps in production pipelines.

Editorial analysis: This vulnerability highlights the operational risk of pulling and automatically instantiating third-party model artifacts at scale. Teams that automate model ingestion, evaluation, or deployment should treat pipeline stages that deserialize model metadata as high-risk supply-chain touchpoints, and should combine version pinning, network isolation, and layered secrets management while following publisher security advisories.