We use cookies to improve your experience on our site.
AVID-2026-R1227
Description
Insecure Temporary File in huggingface/transformers (CVE-2023-2800)
Details
Insecure Temporary File in GitHub repository huggingface/transformers prior to 4.30.0.
Reason for inclusion in AVID: CVE-2023-2800 describes an insecure temporary file vulnerability in the Hugging Face Transformers library (pre-4.30.0). This library is a core software component in many AI pipelines, making it a software supply-chain issue for general-purpose AI systems. The vulnerability is security-related (insecure file handling) and the report provides the CVE, affected artifact, and references.
References
- NVD entry
- https://huntr.dev/bounties/a3867b4e-6701-4418-8c20-3c6e7084a44a
- https://github.com/huggingface/transformers/commit/80ca92470938bbcc348e2d9cf4734c7c25cb1c43
Affected or Relevant Artifacts
- Developer: huggingface
- Deployer: huggingface
- Artifact Details:
| Type | Name |
|---|---|
| System | huggingface/transformers |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.0 |
| Vector String | CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H |
| Base Score | 4.7 |
| Base Severity | 🟠 Medium |
| Attack Vector | LOCAL |
| Attack Complexity | 🔴 High |
| Privileges Required | 🟢 Low |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-377 | CWE-377 Insecure Temporary File |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2023-05-18
- Version: 0.3.3
- AVID Entry