Homepage

transformers@4.47.1 vulnerabilities

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

  • latest version

    4.47.1

  • first published

    8 years ago

  • latest version published

    4 days ago

  • licenses detected

  • View transformers package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the transformers package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • L
    Deserialization of Untrusted Data

    transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

    Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the parsing of model files, due to the lack of proper validation of user-supplied data. This is only exploitable if the target visits a malicious page or opens a malicious MaskFormer model file.

    Note: The maintainers of this package are not addressing this vulnerability as it is limited to accessory conversion scripts and does not impact core library functions. The need for the attacker to provide a malicious model file which is then converted using the relevant script is considered an unrealistic attack vector. Since mitigation would require the complete removal of these scripts, the issue is not expected to be fixed.

    How to fix Deserialization of Untrusted Data?

    There is no fixed version for transformers.

    [0,)
    • L
    Deserialization of Untrusted Data

    transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

    Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the handling of configuration files. This is only exploitable if the target visits a malicious page or opens a malicious MobileViTV2 config file.

    Note: The maintainers of this package are not addressing this vulnerability as it is limited to accessory conversion scripts and does not impact core library functions. The need for the attacker to provide a malicious model file which is then converted using the relevant script is considered an unrealistic attack vector. Since mitigation would require the complete removal of these scripts, the issue is not expected to be fixed.

    How to fix Deserialization of Untrusted Data?

    There is no fixed version for transformers.

    [0,)
    • L
    Deserialization of Untrusted Data

    transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

    Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the handling of model files, due to the lack of proper validation of user-supplied data. This is only exploitable if the target visits a malicious page or opens a malicious Trax model file.

    Note: The maintainers of this package are not addressing this vulnerability as it is limited to accessory conversion scripts and does not impact core library functions. The need for the attacker to provide a malicious model file which is then converted using the relevant script is considered an unrealistic attack vector. Since mitigation would require the complete removal of these scripts, the issue is not expected to be fixed.

    How to fix Deserialization of Untrusted Data?

    There is no fixed version for transformers.

    [0,)
    Go back to all versions of this package