- Description
- Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image_utils.py` file. The vulnerability arises from insecure URL validation using the `startswith()` method, which can be bypassed through URL username injection. This allows attackers to craft URLs that appear to be from YouTube but resolve to malicious domains, potentially leading to phishing attacks, malware distribution, or data exfiltration. The issue is fixed in version 4.52.1.
- Source
- security@huntr.dev
- NVD status
- Awaiting Analysis
CVSS 3.0
- Type
- Secondary
- Base score
- 3.5
- Impact score
- 1.4
- Exploitability score
- 2.1
- Vector string
- CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
- Severity
- LOW
- security@huntr.dev
- CWE-20
- Hype score
- Not currently trending
CVE-2025-3777 URL Injection Vulnerability in Hugging Face Transformers Before 4.52.1 https://t.co/vvhDOQAqQy
@VulmonFeeds
7 Jul 2025
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-3777 Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image_utils.py` file. The vulnerability arises from i… https://t.co/kNblv0iAcm
@CVEnew
7 Jul 2025
394 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes