CVE-2026-4372— Arbitrary Remote Code Execution via `_attn_implementation_internal` Config Injection in huggingface/transformers

Arbitrary Remote Code Execution via `_attn_implementation_internal` Config Injection in huggingface/transformers

A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious `config.json` file containing the `_attn_implementation_internal` field set to an attacker-controlled HuggingFace Hub repository ID. When a victim loads this model using the standard `AutoModelForCausalLM.from_pretrained()` API, the library downloads and executes arbitrary Python code from the attacker's repository with the victim's full OS privileges. This issue arises due to unfiltered deserialization of configuration attributes, insufficient sanitization of internal fields, and unsandboxed execution of downloaded kernels. The vulnerability bypasses the `trust_remote_code` security mechanism, is invisible to the victim, and exploits the standard documented usage pattern, making it particularly severe. Users are advised to upgrade to version 5.3.0 or later to mitigate this issue.

N/A

缺少序列化控件元素

Hugging Face Transformers 安全漏洞

Hugging Face Transformers是Hugging Face开源的一个用于定义最先进机器学习模型的框架，涵盖文本、视觉、音频和多模态模型，可用于推理和训练。 Hugging Face Transformers 5.3.0之前版本存在安全漏洞，该漏洞源于配置属性的未过滤反序列化、内部字段清理不足以及下载内核的未沙箱执行，可能导致攻击者通过特制的config.json文件在受害者加载模型时下载并执行任意Python代码，绕过trust_remote_code安全机制。

N/A

N/A