CVE-2025-3777
Last modified
CVE-2025-3777 is a vulnerability of currently unknown severity. Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image_utils.py` file. The vulnerability arises from insecure URL validation using the `startswith()` method, which can be bypassed through URL username injection. EPSS estimates a 0.33% chance of exploitation in the next 30 days.
Description
Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image_utils.py` file. The vulnerability arises from insecure URL validation using the `startswith()` method, which can be bypassed through URL username injection. This allows attackers to craft URLs that appear to be from YouTube but resolve to malicious domains, potentially leading to phishing attacks, malware distribution, or data exfiltration. The issue is fixed in version 4.52.1.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Huggingface | Transformers | < 4.52.1 |
References
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-3777?
How severe is CVE-2025-3777?
How do I fix CVE-2025-3777?
Are you affected by CVE-2025-3777?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST