Improper Input Validation in huggingface/transformers

Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image_utils.py` file. The vulnerability arises from insecure URL validation using the `startswith()` method, which can be bypassed through URL username injection. This allows attackers to craft URLs that appear to be from YouTube but resolve to malicious domains, potentially leading to phishing attacks, malware distribution, or data exfiltration. The issue is fixed in version 4.52.1.

N/A

输入验证不恰当

Hugging Face Transformers 输入验证错误漏洞

Hugging Face Transformers是Hugging Face开源的为 Jax、PyTorch 和 TensorFlow 打造的先进的自然语言处理。 Hugging Face Transformers 4.49.0及之前版本存在输入验证错误漏洞，该漏洞源于image_utils.py中URL验证不足，可能导致钓鱼攻击。

N/A

N/A