{"id":"PYSEC-2026-1978","summary":"Transformers Deserialization of Untrusted Data vulnerability","details":"The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_repo_checkpoint()` function of the `TFPreTrainedModel()` class. Attackers can execute arbitrary code and commands by crafting a malicious serialized payload, exploiting the use of `pickle.load()` on data from potentially untrusted sources. This vulnerability allows for remote code execution (RCE) by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine.","aliases":["CVE-2024-3568","GHSA-37q5-v5qm-c9v8"],"modified":"2026-07-07T17:48:11.555304072Z","published":"2026-07-07T11:45:37.939935Z","references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-3568"},{"type":"WEB","url":"https://github.com/huggingface/transformers/commit/693667b8ac8138b83f8adb6522ddaf42fa07c125"},{"type":"PACKAGE","url":"https://github.com/huggingface/transformers"},{"type":"WEB","url":"https://huntr.com/bounties/b3c36992-5264-4d7f-9906-a996efafba8f"},{"type":"PACKAGE","url":"https://pypi.org/project/transformers"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-37q5-v5qm-c9v8"}],"affected":[{"package":{"name":"transformers","ecosystem":"PyPI","purl":"pkg:pypi/transformers"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.38.0"}]}],"versions":["0.1","2.0.0","2.1.0","2.1.1","2.10.0","2.11.0","2.2.0","2.2.1","2.2.2","2.3.0","2.4.0","2.4.1","2.5.0","2.5.1","2.6.0","2.7.0","2.8.0","2.9.0","2.9.1","3.0.0","3.0.1","3.0.2","3.1.0","3.2.0","3.3.0","3.3.1","3.4.0","3.5.0","3.5.1","4.0.0","4.0.0rc1","4.0.1","4.1.0","4.1.1","4.10.0","4.10.1","4.10.2","4.10.3","4.11.0","4.11.1","4.11.2","4.11.3","4.12.0","4.12.1","4.12.2","4.12.3","4.12.4","4.12.5","4.13.0","4.14.0","4.14.1","4.15.0","4.16.0","4.16.1","4.16.2","4.17.0","4.18.0","4.19.0","4.19.1","4.19.2","4.19.3","4.19.4","4.2.0","4.2.1","4.2.2","4.20.0","4.20.1","4.21.0","4.21.1","4.21.2","4.21.3","4.22.0","4.22.1","4.22.2","4.23.0","4.23.1","4.24.0","4.25.0","4.25.1","4.26.0","4.26.1","4.27.0","4.27.1","4.27.2","4.27.3","4.27.4","4.28.0","4.28.1","4.29.0","4.29.1","4.29.2","4.3.0","4.3.0rc1","4.3.1","4.3.2","4.3.3","4.30.0","4.30.1","4.30.2","4.31.0","4.32.0","4.32.1","4.33.0","4.33.1","4.33.2","4.33.3","4.34.0","4.34.1","4.35.0","4.35.1","4.35.2","4.36.0","4.36.1","4.36.2","4.37.0","4.37.1","4.37.2","4.4.0","4.4.1","4.4.2","4.5.0","4.5.1","4.6.0","4.6.1","4.7.0","4.8.0","4.8.1","4.8.2","4.9.0","4.9.1","4.9.2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/transformers/PYSEC-2026-1978.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L"}]}