transformers@4.57.6 vulnerabilities

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Arbitrary Code Injection via the convert_config function. An attacker can execute arbitrary code by supplying a malicious checkpoint file that is processed without proper validation.

Note:

The report of this vulnerability was rejected by the package's maintainers. See the project's security policy for more information.

There is no fixed version for transformers.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the parsing process of model files. An attacker can execute arbitrary code in the context of the current user by tricking a user into opening a malicious file or visiting a malicious page that triggers deserialization of untrusted data.

Note:

The report of this vulnerability was rejected by the package's maintainers. See the project's security policy for more information.

There is no fixed version for transformers.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the megatron_gpt2 process. An attacker can achieve arbitrary code execution by tricking a user into opening a malicious file or visiting a crafted page that triggers deserialization of untrusted data.

Note:

The report of this vulnerability was rejected by the package's maintainers for being out of scope for the bug bounty program. See the project's security policy for more information.

There is no fixed version for transformers.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the parsing of model files. An attacker can execute arbitrary code by tricking a user into opening a specially crafted model file.

Note:

The vendor closed the case as a duplicate of another report.

Upgrade transformers to version 5.0.0rc1 or higher.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Arbitrary Code Injection via the convert_config function. An attacker can execute arbitrary code by supplying a crafted checkpoint file that is processed without proper validation.

Note:

The report of this vulnerability was rejected by the package's maintainers for being out of scope for the bug bounty program. See the project's security policy for more information.

There is no fixed version for transformers.

transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the parsing of checkpoints. An attacker can achieve arbitrary code execution by tricking a user into opening a malicious checkpoint file.

Note:

The report of this vulnerability was rejected by the package's maintainers for being out of scope for the bug bounty program. See the project's security policy for more information.

There is no fixed version for transformers.