Description
A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious `config.json` file containing the `_attn_implementation_internal` field set to an attacker-controlled HuggingFace Hub repository ID. When a victim loads this model using the standard `AutoModelForCausalLM.from_pretrained()` API, the library downloads and executes arbitrary Python code from the attacker's repository with the victim's full OS privileges. This issue arises due to unfiltered deserialization of configuration attributes, insufficient sanitization of internal fields, and unsandboxed execution of downloaded kernels. The vulnerability bypasses the `trust_remote_code` security mechanism, is invisible to the victim, and exploits the standard documented usage pattern, making it particularly severe. Users are advised to upgrade to version 5.3.0 or later to mitigate this issue.
Published: 2026-05-24
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A maliciously crafted configuration file can place a special internal field that points to an attacker‑controlled repository. When a user loads a model through the normal "AutoModelForCausalLM.from_pretrained()" call, the library downloads and runs the code from that repository with the full privileges of the current process. This allows an adversary to execute arbitrary Python code on the host. The weakness falls under CWE‑1066 and is classified with a CVSS score of 7.8, a high‑severity rating that reflects the potential to compromise confidentiality, integrity, and availability.

Affected Systems

All releases of the HuggingFace Transformers library older than 5.3.0 are affected, regardless of the host operating system. The vulnerability impacts any installation that pulls models from the HuggingFace Hub via the standard API.

Risk and Exploitability

Because the attack relies on a legitimate model download, the vector is inferred from the description; the description does not explicitly state the exact attack path, but it is clear that a malicious repository ID in a config.json triggers code execution. The vulnerability bypasses the trust_remote_code safeguard and shows no EPSS score, indicating that widespread exploitation has not yet been observed but the potential impact remains severe. The CVSS score of 7.8 highlights that the risk is high, and that once exploited, an attacker would gain full operating‑system privileges on the victim’s machine.

Generated by OpenCVE AI on May 24, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HuggingFace Transformers to 5.3.0 or newer.
  • Restrict usage of from_pretrained() to trusted repositories and treat any downloaded models as potentially malicious.
  • Run model inference inside a sandboxed or containerized environment with non‑privileged user rights to limit the blast radius of accidental or malicious code execution.

Generated by OpenCVE AI on May 24, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 24 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious `config.json` file containing the `_attn_implementation_internal` field set to an attacker-controlled HuggingFace Hub repository ID. When a victim loads this model using the standard `AutoModelForCausalLM.from_pretrained()` API, the library downloads and executes arbitrary Python code from the attacker's repository with the victim's full OS privileges. This issue arises due to unfiltered deserialization of configuration attributes, insufficient sanitization of internal fields, and unsandboxed execution of downloaded kernels. The vulnerability bypasses the `trust_remote_code` security mechanism, is invisible to the victim, and exploits the standard documented usage pattern, making it particularly severe. Users are advised to upgrade to version 5.3.0 or later to mitigate this issue.
Title Arbitrary Remote Code Execution via `_attn_implementation_internal` Config Injection in huggingface/transformers
Weaknesses CWE-1066
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-05-24T13:40:40.995Z

Reserved: 2026-03-18T10:04:09.683Z

Link: CVE-2026-4372

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-24T16:00:03Z

Weaknesses