CVE-2025-3777

Опубликовано: 07 июл. 2025

Источник: nvd

CVSS3: 3.5

EPSS Низкий

Описание

Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the image_utils.py file. The vulnerability arises from insecure URL validation using the startswith() method, which can be bypassed through URL username injection. This allows attackers to craft URLs that appear to be from YouTube but resolve to malicious domains, potentially leading to phishing attacks, malware distribution, or data exfiltration. The issue is fixed in version 4.52.1.

Ссылки

https://github.com/huggingface/transformers/commit/4dda5f71b35fb70cf602187eef84bb17a50b9082
Patch
https://huntr.com/bounties/ccba0730-9248-4853-b7ff-5c20e6364f09
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:huggingface:transformers:*:*:*:*:*:*:*:*

Версия до 4.52.1 (исключая)

EPSS

Процентиль: 22%

0.00069

Низкий

3.5 Low

CVSS3

Дефекты

CWE-20

NVD-CWE-noinfo

Связанные уязвимости

CVE-2025-3777

CVSS3: 3.5

redhat

2 месяца назад

Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image_utils.py` file. The vulnerability arises from insecure URL validation using the `startswith()` method, which can be bypassed through URL username injection. This allows attackers to craft URLs that appear to be from YouTube but resolve to malicious domains, potentially leading to phishing attacks, malware distribution, or data exfiltration. The issue is fixed in version 4.52.1.

GHSA-phhr-52qp-3mj4

CVSS3: 3.5

github

2 месяца назад

Transformers's Improper Input Validation vulnerability can be exploited through username injection

EPSS

Процентиль: 22%

0.00069

Низкий

3.5 Low

CVSS3

Дефекты

CWE-20

NVD-CWE-noinfo