Description
A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious `config.json` file containing the `_attn_implementation_internal` field set to an attacker-controlled HuggingFace Hub repository ID. When a victim loads this model using the standard `AutoModelForCausalLM.from_pretrained()` API, the library downloads and executes arbitrary Python code from the attacker's repository with the victim's full OS privileges. This issue arises due to unfiltered deserialization of configuration attributes, insufficient sanitization of internal fields, and unsandboxed execution of downloaded kernels. The vulnerability bypasses the `trust_remote_code` security mechanism, is invisible to the victim, and exploits the standard documented usage pattern, making it particularly severe. Users are advised to upgrade to version 5.3.0 or later to mitigate this issue.
Published: 2026-05-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A maliciously crafted configuration file can place a special internal field that points to an attacker‑controlled repository. When a user loads a model through the normal "AutoModelForCausalLM.from_pretrained()" call, the library downloads and runs the code from that repository with the full privileges of the current process. This allows an adversary to execute arbitrary Python code on the host. The weakness falls under CWE‑1066 (Untrusted Input Sanitation) and CWE‑502 (Deserialization of Untrusted Data) and is classified with a CVSS score of 7.8, a high‑severity rating that reflects the potential to compromise confidentiality, integrity, and availability.

Affected Systems

All releases of the HuggingFace Transformers library older than 5.3.0 are affected, regardless of the host operating system. The vulnerability impacts any installation that pulls models from the HuggingFace Hub via the standard API.

Risk and Exploitability

Because the attack relies on a legitimate model download, the vector is inferred from the description; the description does not explicitly state the exact attack path, but it is clear that a malicious repository ID in a config.json triggers code execution. The vulnerability bypasses the trust_remote_code safeguard and has an EPSS score of 0.00032 (0.032%), indicating a low probability of exploitation at present but the potential impact remains severe. The CVSS score of 7.8 highlights that the risk is high, and that once exploited, an attacker would gain full operating‑system privileges on the victim’s machine.

Generated by OpenCVE AI on June 4, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HuggingFace Transformers to 5.3.0 or newer.
  • Restrict usage of from_pretrained() to trusted repositories, treat any downloaded models as potentially malicious, and ensure that configuration files are parsed safely—reject or ignore unrecognized fields such as _attn_implementation_internal to prevent injection.
  • Run model inference inside a sandboxed or containerized environment with non‑privileged user rights to limit the blast radius of accidental or malicious code execution.

Generated by OpenCVE AI on June 4, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-502
CPEs cpe:2.3:a:huggingface:transformers:*:*:*:*:*:*:*:*

Tue, 26 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 25 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Huggingface
Huggingface transformers
Vendors & Products Huggingface
Huggingface transformers

Sun, 24 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious `config.json` file containing the `_attn_implementation_internal` field set to an attacker-controlled HuggingFace Hub repository ID. When a victim loads this model using the standard `AutoModelForCausalLM.from_pretrained()` API, the library downloads and executes arbitrary Python code from the attacker's repository with the victim's full OS privileges. This issue arises due to unfiltered deserialization of configuration attributes, insufficient sanitization of internal fields, and unsandboxed execution of downloaded kernels. The vulnerability bypasses the `trust_remote_code` security mechanism, is invisible to the victim, and exploits the standard documented usage pattern, making it particularly severe. Users are advised to upgrade to version 5.3.0 or later to mitigate this issue.
Title Arbitrary Remote Code Execution via `_attn_implementation_internal` Config Injection in huggingface/transformers
Weaknesses CWE-1066
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Huggingface Transformers
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-05-26T15:21:02.376Z

Reserved: 2026-03-18T10:04:09.683Z

Link: CVE-2026-4372

cve-icon Vulnrichment

Updated: 2026-05-26T15:20:57.850Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-24T14:16:16.917

Modified: 2026-06-04T18:24:15.227

Link: CVE-2026-4372

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T20:00:15Z

Weaknesses
  • CWE-1066

    Missing Serialization Control Element

  • CWE-502

    Deserialization of Untrusted Data