transformers@4.42.1 vulnerabilities
State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow
latest version
4.51.3
latest non vulnerable version
first published
8 years ago
latest version published
6 days ago
licenses detected
- [2.0.0,)
Direct Vulnerabilities
Known vulnerabilities in the transformers package. This does not include vulnerabilities belonging to this package’s dependencies.
How to fix?
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free| Vulnerability | Vulnerable Version |
|---|---|
transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the How to fix Regular Expression Denial of Service (ReDoS)? Upgrade | [,4.48.0) |
transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the parsing of model files, due to the lack of proper validation of user-supplied data. This is only exploitable if the target visits a malicious page or opens a malicious MaskFormer model file. Note: The maintainers of this package are not addressing this vulnerability as it is limited to accessory conversion scripts and does not impact core library functions. The need for the attacker to provide a malicious model file which is then converted using the relevant script is considered an unrealistic attack vector. Since mitigation would require the complete removal of these scripts, the issue is not expected to be fixed. Update: Although still included in the source code, the conversion scripts have been removed from the package's distributable wheels as of version 4.48.0. How to fix Deserialization of Untrusted Data? Upgrade | [,4.48.0) |
transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the handling of configuration files. This is only exploitable if the target visits a malicious page or opens a malicious MobileViTV2 config file. Note: The maintainers of this package are not addressing this vulnerability as it is limited to accessory conversion scripts and does not impact core library functions. The need for the attacker to provide a malicious model file which is then converted using the relevant script is considered an unrealistic attack vector. Since mitigation would require the complete removal of these scripts, the issue is not expected to be fixed. Update: Although still included in the source code, the conversion scripts have been removed from the package's distributable wheels as of version 4.48.0. How to fix Deserialization of Untrusted Data? Upgrade | [,4.48.0) |
transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the handling of model files, due to the lack of proper validation of user-supplied data. This is only exploitable if the target visits a malicious page or opens a malicious Trax model file. Note: The maintainers of this package are not addressing this vulnerability as it is limited to accessory conversion scripts and does not impact core library functions. The need for the attacker to provide a malicious model file which is then converted using the relevant script is considered an unrealistic attack vector. Since mitigation would require the complete removal of these scripts, the issue is not expected to be fixed. Update: Although still included in the source code, the conversion scripts have been removed from the package's distributable wheels as of version 4.48.0. How to fix Deserialization of Untrusted Data? Upgrade | [,4.48.0) |