Security & Risksecurityhugging facetransformersvulnerability

Hugging Face Transformers contains critical remote code execution vulnerability

|
8.1
Relevance Score
Hugging Face Transformers contains critical remote code execution vulnerability
Photo: d15shllkswkct0.cloudfront.net · rights & takedowns

CSO Online reports a critical remote code execution vulnerability in Hugging Face's Transformers library that let an attacker-controlled model run arbitrary code during a routine load, bypassing the trust_remote_code=False safeguard. Tracked as CVE-2026-4372, the flaw was silently patched in Transformers 5.3.0 (released March 3) but affected every release since 4.56.0; CSO Online reports vulnerable versions were still downloaded 7 to 8 million times per week. The exploit adds a crafted parameter to a model's remote configuration so that simply loading it with from_pretrained() executes attacker code. Security trackers also document a separate RCE, CVE-2026-1839, in the library's Trainer class, where a malicious checkpoint reaches an unsafe torch.load() call; SentinelOne reports a fix in version 5.0.0rc3. Both stem from deserialization of untrusted data in a load path that teams invoke automatically at scale.

What happened

CSO Online reports a critical remote code execution vulnerability in Hugging Face's widely used Transformers library that allowed an attacker-controlled model to execute arbitrary code during a standard load, bypassing the trust_remote_code=False safeguard many teams rely on. Tracked as CVE-2026-4372, the flaw was silently patched in Transformers 5.3.0 (released March 3) but had been present in every release since 4.56.0. Per CSO Online, the exploit adds a crafted parameter to a model's remote configuration file so that calling from_pretrained() triggers code execution, and vulnerable versions were still being downloaded 7 to 8 million times per week.

Technical details

The root weakness is deserialization of untrusted data in the model-loading path: configuration or checkpoint metadata is parsed in a way that can execute attacker-supplied payloads during object reconstruction. Security trackers document a related RCE, CVE-2026-1839, in the library's Trainer class, where the _load_rng_state() routine calls torch.load() without weights_only=True, letting a malicious checkpoint run code; SentinelOne reports a fix in version 5.0.0rc3. The notable shift from earlier malicious-model attacks is that exploitation can occur silently during an ordinary load even when trust_remote_code is disabled.

Context and significance

Transformers is among the most widely used ML libraries, so an RCE in a commonly invoked load path reaches a very large base of open-source and enterprise consumers. Environments that pull and instantiate third-party models automatically, such as model-evaluation pipelines and GPU inference services, are the most exposed, because a single crafted artifact can run code with access to local credentials and secrets.

What to watch

  • Upgrade Transformers to a patched release (5.3.0 or later) and identify any installs that ran vulnerable 4.56.0-5.2.x versions.
  • Treat model ingestion as a supply-chain touchpoint: pin versions, isolate model loading from secret-bearing environments, and prefer safetensors over pickle-based formats.
  • Track the NVD and OpenCVE entries for CVE-2026-4372 and CVE-2026-1839 for revised severity and affected-version data.

Scoring Rationale

A critical remote code execution in the extremely widely used **Transformers** library represents a major supply-chain risk for ML platforms and practitioners. The bug's ability to run code during routine model loads and its wide exposure justify a high importance score.

Practice interview problems based on real data

1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.

Try 250 free problems