Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

huggingface — Vulnerabilities & Security Advisories 24

Browse all 24 CVE security advisories affecting huggingface. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Hugging Face operates as a collaborative platform for machine learning, primarily hosting models, datasets, and applications to facilitate open-source AI development. While its core infrastructure relies on standard web technologies, security audits have identified twenty-four recorded Common Vulnerabilities and Exposures (CVEs). Historically, these issues predominantly involve cross-site scripting (XSS) and server-side request forgery (SSRF), stemming from complex input handling within its Python-based backend and JavaScript frontend components. Although critical remote code execution (RCE) vulnerabilities have been rare, the platform’s role as a central hub for model distribution amplifies the impact of any compromise. Notable incidents have largely focused on data exposure risks rather than direct system takeovers, highlighting the inherent challenges in securing large-scale, community-driven repositories. Continuous patching and strict access controls remain essential to mitigate these evolving threats within its extensive ecosystem.

Top products by huggingface: huggingface/transformers huggingface/text-generation-inference huggingface/smolagents smolagents LeRobot
CVE IDTitleCVSSSeverityPublished
CVE-2026-1839 Arbitrary Code Execution via Unsafe torch.load() in Trainer Checkpoint Loading in huggingface/transformers — huggingface/transformersCWE-502 9.8AICriticalAI2026-04-07
CVE-2026-4963 huggingface smolagents Incomplete Fix CVE-2025-9959 local_python_executor.py evaluate_with code injection — smolagentsCWE-94 6.3 Medium2026-03-27
CVE-2026-2654 huggingface smolagents LocalPythonExecutor requests.post server-side request forgery — smolagentsCWE-918 6.3 Medium2026-02-18
CVE-2026-0599 Unbounded External Image Fetch in Validation Leads to Resource-Exhaustion DoS in huggingface/text-generation-inference — huggingface/text-generation-inferenceCWE-400 7.5AIHighAI2026-02-02
CVE-2025-11844 XPath Injection in Hugging Face Smolagents search_item_ctrl_f Function — huggingface/smolagentsCWE-643 9.1AICriticalAI2025-10-22
CVE-2025-6921 Regular Expression Denial of Service (ReDoS) in huggingface/transformers — huggingface/transformersCWE-400 7.5 -2025-09-23
CVE-2025-10772 huggingface LeRobot ZeroMQ Socket lekiwi_remote.py missing authentication — LeRobotCWE-306 6.3 Medium2025-09-21
CVE-2025-6051 Regular Expression Denial of Service (ReDoS) in huggingface/transformers — huggingface/transformersCWE-1333 7.5 -2025-09-14
CVE-2025-6638 Regular Expression Denial of Service (ReDoS) in huggingface/transformers — huggingface/transformersCWE-1333 7.5 -2025-09-12
CVE-2025-5197 Regular Expression Denial of Service (ReDoS) in huggingface/transformers — huggingface/transformersCWE-1333 7.5 -2025-08-06
CVE-2025-5120 Sandbox Escape Vulnerability in huggingface/smolagents — huggingface/smolagentsCWE-94 10.0 -2025-07-27
CVE-2025-3933 Regular Expression Denial of Service (ReDoS) in huggingface/transformers — huggingface/transformersCWE-1333 7.5AIHighAI2025-07-11
CVE-2025-3777 Improper Input Validation in huggingface/transformers — huggingface/transformersCWE-20 9.1 -2025-07-07
CVE-2025-3264 Regular Expression Denial of Service (ReDoS) in huggingface/transformers — huggingface/transformersCWE-1333 7.5 -2025-07-07
CVE-2025-3263 Regular Expression Denial of Service (ReDoS) in huggingface/transformers — huggingface/transformersCWE-1333 7.5 -2025-07-07
CVE-2025-3262 Regular Expression Denial of Service (ReDoS) in huggingface/transformers — huggingface/transformersCWE-1333 7.5 -2025-07-07
CVE-2025-2099 Regular Expression Denial of Service (ReDoS) in huggingface/transformers — huggingface/transformersCWE-1333 7.5 -2025-05-19
CVE-2025-1194 Regular Expression Denial of Service (ReDoS) in huggingface/transformers — huggingface/transformersCWE-1333 7.5AIHighAI2025-04-29
CVE-2024-12720 Regular Expression Denial of Service (ReDoS) in huggingface/transformers — huggingface/transformersCWE-1333 7.5 -2025-03-20
CVE-2024-3924 Code Injection in huggingface/text-generation-inference — huggingface/text-generation-inferenceCWE-94 8.8AIHighAI2024-05-30
CVE-2024-3568 Arbitrary Code Execution via Deserialization in huggingface/transformers — huggingface/transformersCWE-502 8.8AIHighAI2024-04-10
CVE-2023-7018 Deserialization of Untrusted Data in huggingface/transformers — huggingface/transformersCWE-502 9.8 -2023-12-20
CVE-2023-6730 Deserialization of Untrusted Data in huggingface/transformers — huggingface/transformersCWE-502 9.8 -2023-12-19
CVE-2023-2800 Insecure Temporary File in huggingface/transformers — huggingface/transformersCWE-377--2023-05-18

This page lists every published CVE security advisory associated with huggingface. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.