Organizations using vulnerable versions of the Hugging Face Transformers library could unknowingly execute attacker-controlled code simply by loading a malicious AI model. Researchers at Pluto disclosed a remote code execution (RCE) vulnerability that bypasses the library’s built-in trust_remote_code=False security control, potentially exposing cloud credentials, SSH keys, API tokens, and other sensitive assets. “One poisoned field…
Tag: Transformers
AI, Apps, Exploits, Global Security News, malware, Network Security, privacy, Risk Management
Hugging Face Transformers RCE flaw enables stealthy compromise via AI model configs
A high severity vulnerability in Hugging Face Transformers enables attackers to compromise systems that use the popular Python library to test and run AI models. The flaw impacts library versions that continue to be actively downloaded and comes at a time when attackers are increasingly targeting the AI supply chain, including through malicious models hosted…