# Vulnerability Key Information - **Title**: (0Day) Hugging Face Transformers SEW-D convert_config Code Injection Remote Code Execution Vulnerability - **Vulnerability ID**: - ZDI-25-1148 - ZDI-CAN-28252 - **CVE ID**: CVE-2025-14927 - **CVSS Score**: 7.8, AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - **Affected Vendor**: Hugging Face - **Affected Product**: Transformers - **Vulnerability Details**: - Allows remote attackers to execute arbitrary code on affected Hugging Face Transformers installations. - Exploitation requires user interaction; the target must convert a malicious checkpoint. - The issue lies in the `convert_config` function, which executes Python code without properly validating user-supplied strings. - **Additional Details**: - 10/14/25 - ZDI submitted the report to a third-party vulnerability bounty program - 11/11/25 - ZDI requested an update - 11/12/25 - Vendor rejected the report and closed the case - 12/12/25 - ZDI notified the vendor that a 0-day advisory would be published on 12/18/25 - **Disclosure Timeline**: - 2025-10-14 - Vulnerability reported to vendor - 2025-12-18 - Coordinated public advisory released - 2025-12-18 - Advisory updated - **Acknowledgments**: - Peter Girnus (@gothburz), Brandon Niemczyk of Trend Zero Day Initiative