Browse all 24 CVE security advisories affecting huggingface. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Hugging Face operates as a collaborative platform for machine learning, primarily hosting models, datasets, and applications to facilitate open-source AI development. While its core infrastructure relies on standard web technologies, security audits have identified twenty-four recorded Common Vulnerabilities and Exposures (CVEs). Historically, these issues predominantly involve cross-site scripting (XSS) and server-side request forgery (SSRF), stemming from complex input handling within its Python-based backend and JavaScript frontend components. Although critical remote code execution (RCE) vulnerabilities have been rare, the platform’s role as a central hub for model distribution amplifies the impact of any compromise. Notable incidents have largely focused on data exposure risks rather than direct system takeovers, highlighting the inherent challenges in securing large-scale, community-driven repositories. Continuous patching and strict access controls remain essential to mitigate these evolving threats within its extensive ecosystem.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2025-10772 | huggingface LeRobot ZeroMQ Socket lekiwi_remote.py missing authentication — LeRobotCWE-306 | 6.3 | Medium | 2025-09-21 |
This page lists every published CVE security advisory associated with huggingface. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.