Monthly
Remote code execution in HuggingFace Transformers prior to 5.3.0 allows attackers to achieve arbitrary code execution on a victim's machine by publishing a malicious model whose config.json sets the `_attn_implementation_internal` field to an attacker-controlled Hub repository. When the victim calls the standard `AutoModelForCausalLM.from_pretrained()` API, the library silently downloads and executes Python kernels from that repository with the victim's privileges, bypassing the `trust_remote_code` safety gate. No public exploit is identified at time of analysis (EPSS 0.03%, SSVC exploitation: none), but the technical impact is total and the attack uses the documented, default usage pattern.
Remote code execution in HuggingFace Transformers prior to 5.3.0 allows attackers to achieve arbitrary code execution on a victim's machine by publishing a malicious model whose config.json sets the `_attn_implementation_internal` field to an attacker-controlled Hub repository. When the victim calls the standard `AutoModelForCausalLM.from_pretrained()` API, the library silently downloads and executes Python kernels from that repository with the victim's privileges, bypassing the `trust_remote_code` safety gate. No public exploit is identified at time of analysis (EPSS 0.03%, SSVC exploitation: none), but the technical impact is total and the attack uses the documented, default usage pattern.