Skip to content

Hugging Face Transformers: RCE Vulnerability in Model Configurations Bypasses Security Measures

Bottom line: Hugging Face Transformers allows silent remote code execution via obfuscated parameters in model configurations as long as the optional kernels package is installed (CVE-2026-4372, patched in 5.3.0).

A critical security vulnerability (CVE-2026-4372) in the Hugging Face Transformers library enables remote code execution via manipulated model configurations. The vulnerability affects versions from 4.56.0 (August 2024), was only patched in version 5.3.0, and is downloaded 7 to 8 million times weekly.

The security flaw was identified by researchers at Pluto Security and exploits a manipulated parameter named _attn_implementation_internal in remote model configuration files on Hugging Face. This parameter bypasses the normally enabled trust_remote_code=false protection measure, which is meant to prevent automatic execution of remote code. The exploit leaves no warnings, confirmation dialogs, or suspicious log entries behind.

The Hugging Face Transformers library is downloaded over 146 million times monthly and has a total of 2.2 billion installations. It enables Python developers to deploy over 1 million machine learning model variants on local hardware or cloud instances and is widely used in enterprise environments and CI/CD pipelines. The vulnerability affects approximately one quarter of all weekly installations still using vulnerable versions.

The security vulnerability arises from three interacting design decisions: When loading a model using AutoModelForCausalLM.from_pretrained(), the library uses the setattr function to parse all key-value pairs from the config.json file and load them into the configuration object. Simultaneously, a feature called Hub Kernels was introduced in March 2024, which allows users to host custom compiled attention kernels – these improve GPU performance but require the additional kernels package. Systems vulnerable are those with the optional kernels package installed, which is particularly common in GPU-accelerated inference – precisely on the most valuable target environments such as enterprise ML platforms and GPU clusters.

Hugging Face patched the vulnerability on March 3, 2025 by releasing Transformers 5.3.0. The repository has over 161,000 GitHub stars and is one of the highest-rated projects on the platform, which means the impact potential of an RCE vulnerability is considerable. This underscores the growing relevance of security in the AI supply chain, as attackers increasingly host manipulated models on Hugging Face to compromise systems.


Source: www.csoonline.com · Published June 4, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification via Lumi News Pipeline v1.2.9.

Share on: