CVE-2023-7018 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2023-7018

CVE-2023-7018

Published:December 20, 2023

Updated:May 17, 2026

Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.

Affected Packages

transformers (PYTHON):

Affected version(s) >=0.1 <4.36.0

Fix Suggestion:

Update to version 4.36.0

Related Resources (5)

https://github.com/huggingface/transformers

https://nvd.nist.gov/vuln/detail/CVE-2023-7018

https://huntr.com/bounties/e1a3e548-e53a-48df-b708-9ee62140963c

https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2023-301.yaml

https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce

Do you need more information?

CVSS v4

Base Score:

9.4

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

PASSIVE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

HIGH

Subsequent System Integrity

HIGH

Subsequent System Availability

HIGH

CVSS v3

Base Score:

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

EPSS

Base Score:

0.20