4.47.1
8 years ago
8 days ago
Known vulnerabilities in the transformers package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for freeVulnerability | Vulnerable Version |
---|---|
transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the parsing of model files, due to the lack of proper validation of user-supplied data. This is only exploitable if the target visits a malicious page or opens a malicious MaskFormer model file. Note: The maintainers of this package are not addressing this vulnerability as it is limited to accessory conversion scripts and does not impact core library functions. The need for the attacker to provide a malicious model file which is then converted using the relevant script is considered an unrealistic attack vector. Since mitigation would require the complete removal of these scripts, the issue is not expected to be fixed. How to fix Deserialization of Untrusted Data? There is no fixed version for | [0,) |
transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the handling of configuration files. This is only exploitable if the target visits a malicious page or opens a malicious MobileViTV2 config file. Note: The maintainers of this package are not addressing this vulnerability as it is limited to accessory conversion scripts and does not impact core library functions. The need for the attacker to provide a malicious model file which is then converted using the relevant script is considered an unrealistic attack vector. Since mitigation would require the complete removal of these scripts, the issue is not expected to be fixed. How to fix Deserialization of Untrusted Data? There is no fixed version for | [0,) |
transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the handling of model files, due to the lack of proper validation of user-supplied data. This is only exploitable if the target visits a malicious page or opens a malicious Trax model file. Note: The maintainers of this package are not addressing this vulnerability as it is limited to accessory conversion scripts and does not impact core library functions. The need for the attacker to provide a malicious model file which is then converted using the relevant script is considered an unrealistic attack vector. Since mitigation would require the complete removal of these scripts, the issue is not expected to be fixed. How to fix Deserialization of Untrusted Data? There is no fixed version for | [0,) |