Hugging Face Transformers Flaw Let Malicious Models Bypass `trust_remote_code`
A critical remote code execution flaw in Hugging Face's transformers library allowed attacker-controlled model repositories to run arbitrary code during the standard from_pretrained() loading process, even when trust_remote_code=False was set. The issue was tied to unsafe handling of untrusted model configuration data, including nested configuration resolution in the LightGlue loading path, where values from config.json could override the intended safety setting and trigger execution of attacker-supplied Python modules during model initialization.
Reports said the vulnerability affected transformers versions 4.56.0 through 5.2.x in environments where the kernels package was installed, with version 5.2.0 specifically cited in LightGlue-related exploitation scenarios. Exposed targets included inference servers, research notebooks, CI/CD pipelines, and automated model evaluation systems, where successful compromise could enable theft of cloud credentials, API keys, SSH keys, proprietary datasets, lateral movement, persistence, and backdoor deployment. Hugging Face released a fix in transformers 5.3.0 and urged organizations to upgrade and treat model loading as a code execution surface.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Hugging Face releases Transformers 5.3.0 to fix the flaw
Hugging Face released a fix for the vulnerability in Transformers version 5.3.0 and urged organizations to upgrade immediately. The advisory also warned users to treat model loading as a code execution surface.
Hugging Face discloses Transformers RCE vulnerability
A critical remote code execution flaw in Hugging Face Transformers was disclosed, showing that attacker-controlled model configuration data could bypass the intended protection of setting trust_remote_code=False during model loading. The issue was reported as affecting model-loading workflows and enabling arbitrary code execution from malicious model repositories.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Critical Hugging Face Transformers Vulnerability Enables Remote Code Execution Attacks
cybersecuritynews.com
Open sourceCritical vulnerability in Hugging Face Transformers library allowed arbitrary code execution | brief | SC Media
scworld.com
Open sourceHugging Face Transformers RCE flaw enables stealthy compromise via AI model configs | CSO Online
csoonline.com
Open sourceCVE-2026-5241 - Policy Bypass in LightGlue Nested Config Resolution in huggingface/transformers
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Unsafe Deserialization Flaws Expose KTransformers and LeRobot to Remote Code Execution
Two AI infrastructure projects, **KTransformers** and **LeRobot**, were found vulnerable to unauthenticated remote code execution caused by unsafe deserialization of attacker-controlled data with `pickle.loads()`. **KTransformers** through version `0.5.3` is affected in its `balance_serve` backend mode, where the scheduler RPC server binds a ZeroMQ `ROUTER` socket to all interfaces without authentication and processes untrusted messages, allowing an attacker to send a crafted pickle payload and execute arbitrary code with the privileges of the `ktransformers` process. The issue was tracked as `CVE-2026-26210`, mapped to **CWE-502**, and assigned a **CVSS v3.1** score vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`. **LeRobot** through version `0.5.1` was similarly exposed through its async inference pipeline, where policy server and robot client components deserialize data received over unauthenticated gRPC channels without TLS. A network-reachable attacker can trigger code execution on either side by sending crafted payloads through the `SendPolicyInstructions`, `SendObservations`, or `GetActions` gRPC calls. That flaw, tracked as `CVE-2026-25874`, also carries a **CWE-502** classification and a **CVSS v4.0** rating reflecting low-complexity network exploitation with no privileges or user interaction and high impact to confidentiality, integrity, and availability. Public references for both issues include technical write-ups, GitHub remediation activity, and VulnCheck advisories.
May 24, 2026
Critical Remote Code Execution Vulnerability in Keras 3 via TorchModuleWrapper Deserialization
A critical remote code execution (RCE) vulnerability, tracked as CVE-2025-49655, has been identified in the Keras machine learning framework, specifically affecting versions 3.11.0 up to but not including 3.11.3. The flaw arises from unsafe deserialization of untrusted data within the TorchModuleWrapper class, which can be exploited when a maliciously crafted Keras file is loaded. This vulnerability allows attackers to execute arbitrary code on the victim's system, even if Keras is running in safe mode, significantly increasing the risk profile for users who routinely load external or shared model files. The issue can be triggered through both local and remote files, making it exploitable in a variety of deployment scenarios, including cloud-based and on-premises environments. The vulnerability has been assigned a CVSS v3.1 base score of 9.8, categorizing it as critical due to the ease of exploitation and the potential impact. Security researchers have highlighted that the attack does not require authentication, and exploitation can occur simply by loading a malicious model file. The vulnerability was publicly disclosed in October 2025, with security advisories urging immediate action. At the time of disclosure, the affected product versions were clearly identified, but some databases had not yet listed all impacted vendors or products. The Keras development team has released a patch in version 3.11.3 to address the issue, and users are strongly advised to upgrade to this version or later. Organizations using Keras in production or research environments should audit their model loading workflows and restrict the use of untrusted model files. The vulnerability underscores the broader risks associated with deserialization flaws in machine learning frameworks, which are increasingly targeted due to their widespread adoption. Security teams are encouraged to monitor for suspicious activity related to model file handling and to implement additional controls where feasible. The incident has prompted renewed calls for secure coding practices and rigorous input validation in AI and machine learning software. The rapid response from the Keras maintainers has been noted, but the incident serves as a warning for similar frameworks to review their own deserialization logic. The vulnerability's critical rating reflects both the technical severity and the potential for widespread exploitation if left unaddressed. Industry experts recommend that all organizations using Keras review their current deployments and apply the necessary updates without delay. The disclosure of CVE-2025-49655 has also led to increased scrutiny of third-party model sharing platforms, which may inadvertently distribute malicious files. This event highlights the importance of maintaining up-to-date software and following best practices for secure machine learning operations.
Mar 21, 2026
Pickle Deserialization Flaws Expose AI and Robotics Services to Code Execution
Critical deserialization flaws were disclosed in multiple AI and robotics components, allowing attackers to execute arbitrary code by sending crafted `pickle` payloads to exposed services. In Hugging Face’s **LeRobot** `0.4.3`, CVE-2026-25874 affects the async inference `PolicyServer`, where the `SendPolicyInstructions` and `SendObservations` gRPC handlers call `pickle.loads()` on attacker-controlled bytes before validation. The service is exposed over an insecure gRPC port with no TLS or authentication, making network-accessible deployments vulnerable to unauthenticated remote code execution; the issue was rated **CVSS 9.8** and no fix was available at disclosure. A separate flaw, CVE-2026-26210, was reported in **ktransformers**’ legacy `balance_serve` backend, where a ZeroMQ `ROUTER` socket bound on all interfaces forwards untrusted messages to worker threads that also invoke `pickle.loads()` without authentication, enabling unauthenticated remote code execution and prompting a fix PR.
Apr 29, 2026