Skip to content

transformers-4.51.3-py3-none-any.whl: 22 vulnerabilities (highest severity is: 8.6) #8

New issue
New issue
Open
Open
transformers-4.51.3-py3-none-any.whl: 22 vulnerabilities (highest severity is: 8.6)#8
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-for-github.amrom.workers.dev

Description

@mend-for-github.amrom.workers.dev
mend-for-github.amrom.workers.dev
bot
opened on Jun 4, 2025
Vulnerable Library - transformers-4.51.3-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/a9/b6/5257d04ae327b44db31f15cce39e6020cc986333c715660b1315a9724d82/transformers-4.51.3-py3-none-any.whl

Path to dependency file: /codegen25/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062157231/env/lib/python3.9/site-packages/transformers-4.51.3.dist-info

Vulnerabilities

Vulnerability Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (transformers version) Remediation Possible** Reachability
CVE-2026-21441 High 8.6 Not Defined 0.0% urllib3-2.4.0-py3-none-any.whl Transitive 4.52.1
CVE-2025-66471 High 8.6 Not Defined 0.0% urllib3-2.4.0-py3-none-any.whl Transitive N/A*
CVE-2025-66418 High 8.6 Not Defined 0.0% urllib3-2.4.0-py3-none-any.whl Transitive N/A*
CVE-2025-14930 High 7.8 Not Defined 0.2% transformers-4.51.3-py3-none-any.whl Direct N/A
CVE-2025-14929 High 7.8 Not Defined 0.2% transformers-4.51.3-py3-none-any.whl Direct N/A
CVE-2025-14928 High 7.8 Not Defined 0.1% transformers-4.51.3-py3-none-any.whl Direct N/A
CVE-2025-14927 High 7.8 Not Defined 0.1% transformers-4.51.3-py3-none-any.whl Direct N/A
CVE-2025-14926 High 7.8 Not Defined 0.1% transformers-4.51.3-py3-none-any.whl Direct N/A
CVE-2025-14924 High 7.8 Not Defined 0.2% transformers-4.51.3-py3-none-any.whl Direct N/A
CVE-2025-14921 High 7.8 Not Defined 0.2% transformers-4.51.3-py3-none-any.whl Direct N/A
CVE-2025-14920 High 7.8 Not Defined 0.2% transformers-4.51.3-py3-none-any.whl Direct N/A
CVE-2025-6638 High 7.5 Not Defined 0.1% transformers-4.51.3-py3-none-any.whl Direct 4.53.0
CVE-2025-68146 Medium 6.3 Not Defined 0.0% filelock-3.18.0-py3-none-any.whl Transitive N/A*
CVE-2026-22701 Medium 5.3 Not Defined filelock-3.18.0-py3-none-any.whl Transitive N/A*
CVE-2025-6921 Medium 5.3 Not Defined 0.1% transformers-4.51.3-py3-none-any.whl Direct 4.53.0
CVE-2025-6051 Medium 5.3 Not Defined 0.1% transformers-4.51.3-py3-none-any.whl Direct 4.53.0
CVE-2025-5197 Medium 5.3 Not Defined 0.1% transformers-4.51.3-py3-none-any.whl Direct 4.53.0
CVE-2025-50182 Medium 5.3 Not Defined 0.0% urllib3-2.4.0-py3-none-any.whl Transitive N/A*
CVE-2025-50181 Medium 5.3 Not Defined 0.0% urllib3-2.4.0-py3-none-any.whl Transitive 4.52.1
CVE-2025-3933 Medium 5.3 Not Defined 0.1% transformers-4.51.3-py3-none-any.whl Direct 4.52.1
CVE-2024-47081 Medium 5.3 Not Defined 0.1% requests-2.32.3-py3-none-any.whl Transitive 4.52.1
CVE-2025-3777 Low 3.5 Not Defined 0.1% transformers-4.51.3-py3-none-any.whl Direct 4.52.1

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (21 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2026-21441

Vulnerable Library - urllib3-2.4.0-py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/6b/11/cc635220681e93a0183390e26485430ca2c7b5f9d33b15c74c2861cb8091/urllib3-2.4.0-py3-none-any.whl

Path to dependency file: /codegen1/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062152011/env/lib/python3.9/site-packages/urllib3-2.4.0.dist-info,/tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062156481/env/lib/python3.9/site-packages/urllib3-2.4.0.dist-info,/tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062157231/env/lib/python3.9/site-packages/urllib3-2.4.0.dist-info

Dependency Hierarchy:

  • transformers-4.51.3-py3-none-any.whl (Root Library)
    • requests-2.32.3-py3-none-any.whl
      • urllib3-2.4.0-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP "Content-Encoding" header (e.g., "gzip", "deflate", "br", or "zstd"). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting "preload_content=False" when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when "preload_content=False". If upgrading is not immediately possible, disable redirects by setting "redirect=False" for requests to untrusted source.

Publish Date: 2026-01-07

URL: CVE-2026-21441

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (8.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-38jv-5279-wg99

Release Date: 2026-01-07

Fix Resolution (urllib3): 2.6.3

Direct dependency fix Resolution (transformers): 4.52.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2025-66471

Vulnerable Library - urllib3-2.4.0-py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/6b/11/cc635220681e93a0183390e26485430ca2c7b5f9d33b15c74c2861cb8091/urllib3-2.4.0-py3-none-any.whl

Path to dependency file: /codegen1/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062152011/env/lib/python3.9/site-packages/urllib3-2.4.0.dist-info,/tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062156481/env/lib/python3.9/site-packages/urllib3-2.4.0.dist-info,/tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062157231/env/lib/python3.9/site-packages/urllib3-2.4.0.dist-info

Dependency Hierarchy:

  • transformers-4.51.3-py3-none-any.whl (Root Library)
    • requests-2.32.3-py3-none-any.whl
      • urllib3-2.4.0-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.

Publish Date: 2025-12-05

URL: CVE-2025-66471

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (8.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-2xpw-w6gg-jr37

Release Date: 2025-12-05

Fix Resolution: urllib3 - 2.6.0,https://github.com/urllib3/urllib3.git - 2.6.0

CVE-2025-66418

Vulnerable Library - urllib3-2.4.0-py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/6b/11/cc635220681e93a0183390e26485430ca2c7b5f9d33b15c74c2861cb8091/urllib3-2.4.0-py3-none-any.whl

Path to dependency file: /codegen1/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062152011/env/lib/python3.9/site-packages/urllib3-2.4.0.dist-info,/tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062156481/env/lib/python3.9/site-packages/urllib3-2.4.0.dist-info,/tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062157231/env/lib/python3.9/site-packages/urllib3-2.4.0.dist-info

Dependency Hierarchy:

  • transformers-4.51.3-py3-none-any.whl (Root Library)
    • requests-2.32.3-py3-none-any.whl
      • urllib3-2.4.0-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.

Publish Date: 2025-12-05

URL: CVE-2025-66418

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (8.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-12-05

Fix Resolution: https://github.com/urllib3/urllib3.git - 2.6.0,urllib3 - 2.6.0

CVE-2025-14930

Vulnerable Library - transformers-4.51.3-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/a9/b6/5257d04ae327b44db31f15cce39e6020cc986333c715660b1315a9724d82/transformers-4.51.3-py3-none-any.whl

Path to dependency file: /codegen25/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062157231/env/lib/python3.9/site-packages/transformers-4.51.3.dist-info

Dependency Hierarchy:

  • transformers-4.51.3-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of weights. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process.

Publish Date: 2025-12-23

URL: CVE-2025-14930

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2025-14929

Vulnerable Library - transformers-4.51.3-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/a9/b6/5257d04ae327b44db31f15cce39e6020cc986333c715660b1315a9724d82/transformers-4.51.3-py3-none-any.whl

Path to dependency file: /codegen25/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062157231/env/lib/python3.9/site-packages/transformers-4.51.3.dist-info

Dependency Hierarchy:

  • transformers-4.51.3-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process.

Publish Date: 2025-12-23

URL: CVE-2025-14929

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2025-14928

Vulnerable Library - transformers-4.51.3-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/a9/b6/5257d04ae327b44db31f15cce39e6020cc986333c715660b1315a9724d82/transformers-4.51.3-py3-none-any.whl

Path to dependency file: /codegen25/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062157231/env/lib/python3.9/site-packages/transformers-4.51.3.dist-info

Dependency Hierarchy:

  • transformers-4.51.3-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint.

The specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the current user.

Publish Date: 2025-12-23

URL: CVE-2025-14928

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2025-14927

Vulnerable Library - transformers-4.51.3-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/a9/b6/5257d04ae327b44db31f15cce39e6020cc986333c715660b1315a9724d82/transformers-4.51.3-py3-none-any.whl

Path to dependency file: /codegen25/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062157231/env/lib/python3.9/site-packages/transformers-4.51.3.dist-info

Dependency Hierarchy:

  • transformers-4.51.3-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Hugging Face Transformers SEW-D convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint.
The specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the current user.
. Was ZDI-CAN-28252.

Publish Date: 2025-12-23

URL: CVE-2025-14927

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2025-14926

Vulnerable Library - transformers-4.51.3-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/a9/b6/5257d04ae327b44db31f15cce39e6020cc986333c715660b1315a9724d82/transformers-4.51.3-py3-none-any.whl

Path to dependency file: /codegen25/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062157231/env/lib/python3.9/site-packages/transformers-4.51.3.dist-info

Dependency Hierarchy:

  • transformers-4.51.3-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Hugging Face Transformers SEW convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint.
The specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28251.

Publish Date: 2025-12-23

URL: CVE-2025-14926

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2025-14924

Vulnerable Library - transformers-4.51.3-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/a9/b6/5257d04ae327b44db31f15cce39e6020cc986333c715660b1315a9724d82/transformers-4.51.3-py3-none-any.whl

Path to dependency file: /codegen25/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062157231/env/lib/python3.9/site-packages/transformers-4.51.3.dist-info

Dependency Hierarchy:

  • transformers-4.51.3-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process.

Publish Date: 2025-12-23

URL: CVE-2025-14924

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2025-14921

Vulnerable Library - transformers-4.51.3-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/a9/b6/5257d04ae327b44db31f15cce39e6020cc986333c715660b1315a9724d82/transformers-4.51.3-py3-none-any.whl

Path to dependency file: /codegen25/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062157231/env/lib/python3.9/site-packages/transformers-4.51.3.dist-info

Dependency Hierarchy:

  • transformers-4.51.3-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Hugging Face Transformers Transformer-XL Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25424.

Publish Date: 2025-12-23

URL: CVE-2025-14921

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2025-14920

Vulnerable Library - transformers-4.51.3-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/a9/b6/5257d04ae327b44db31f15cce39e6020cc986333c715660b1315a9724d82/transformers-4.51.3-py3-none-any.whl

Path to dependency file: /codegen25/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062157231/env/lib/python3.9/site-packages/transformers-4.51.3.dist-info

Dependency Hierarchy:

  • transformers-4.51.3-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Hugging Face Transformers Perceiver Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25423.

Publish Date: 2025-12-23

URL: CVE-2025-14920

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2025-6638

Vulnerable Library - transformers-4.51.3-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/a9/b6/5257d04ae327b44db31f15cce39e6020cc986333c715660b1315a9724d82/transformers-4.51.3-py3-none-any.whl

Path to dependency file: /codegen25/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062157231/env/lib/python3.9/site-packages/transformers-4.51.3.dist-info

Dependency Hierarchy:

  • transformers-4.51.3-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's "remove_language_code()" method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.

Publish Date: 2025-09-12

URL: CVE-2025-6638

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.com/bounties/6a6c933f-9ce8-4ded-8b3b-2c1444c61f36

Release Date: 2025-09-12

Fix Resolution: 4.53.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2025-68146

Vulnerable Library - filelock-3.18.0-py3-none-any.whl

A platform independent file lock.

Library home page: https://files.pythonhosted.org/packages/4d/36/2a115987e2d8c300a974597416d9de88f2444426de9571f4b59b2cca3acc/filelock-3.18.0-py3-none-any.whl

Path to dependency file: /codegen1/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062152011/env/lib/python3.9/site-packages/filelock-3.18.0.dist-info,/tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062157231/env/lib/python3.9/site-packages/filelock-3.18.0.dist-info,/tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062156481/env/lib/python3.9/site-packages/filelock-3.18.0.dist-info

Dependency Hierarchy:

  • transformers-4.51.3-py3-none-any.whl (Root Library)
    • filelock-3.18.0-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

filelock is a platform-independent file lock for Python. In versions prior to 3.20.1, a Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows lock file creation where filelock checks if a file exists before opening it with O_TRUNC. An attacker can create a symlink pointing to a victim file in the time gap between the check and open, causing os.open() to follow the symlink and truncate the target file. All users of filelock on Unix, Linux, macOS, and Windows systems are impacted. The vulnerability cascades to dependent libraries. The attack requires local filesystem access and ability to create symlinks (standard user permissions on Unix; Developer Mode on Windows 10+). Exploitation succeeds within 1-3 attempts when lock file paths are predictable. The issue is fixed in version 3.20.1. If immediate upgrade is not possible, use SoftFileLock instead of UnixFileLock/WindowsFileLock (note: different locking semantics, may not be suitable for all use cases); ensure lock file directories have restrictive permissions (chmod 0700) to prevent untrusted users from creating symlinks; and/or monitor lock file directories for suspicious symlinks before running trusted applications. These workarounds provide only partial mitigation. The race condition remains exploitable. Upgrading to version 3.20.1 is strongly recommended.

Publish Date: 2025-12-16

URL: CVE-2025-68146

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (6.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-12-16

Fix Resolution: filelock - 3.20.1

CVE-2026-22701

Vulnerable Library - filelock-3.18.0-py3-none-any.whl

A platform independent file lock.

Library home page: https://files.pythonhosted.org/packages/4d/36/2a115987e2d8c300a974597416d9de88f2444426de9571f4b59b2cca3acc/filelock-3.18.0-py3-none-any.whl

Path to dependency file: /codegen1/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062152011/env/lib/python3.9/site-packages/filelock-3.18.0.dist-info,/tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062157231/env/lib/python3.9/site-packages/filelock-3.18.0.dist-info,/tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062156481/env/lib/python3.9/site-packages/filelock-3.18.0.dist-info

Dependency Hierarchy:

  • transformers-4.51.3-py3-none-any.whl (Root Library)
    • filelock-3.18.0-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

filelock is a platform-independent file lock for Python. Prior to version 3.20.3, a TOCTOU race condition vulnerability exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race condition between the permission validation and file creation to cause lock operations to fail or behave unexpectedly. The vulnerability occurs in the _acquire() method between raise_on_not_writable_file() (permission check) and os.open() (file creation). During this race window, an attacker can create a symlink at the lock file path, potentially causing the lock to operate on an unintended target file or leading to denial of service. This issue has been patched in version 3.20.3.

Publish Date: 2026-01-10

URL: CVE-2026-22701

Threat Assessment

Exploit Maturity: Not Defined

EPSS:

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-01-10

Fix Resolution: filelock - 3.20.3,filelock - 3.20.3,https://github.com/tox-dev/filelock.git - 3.20.3

CVE-2025-6921

Vulnerable Library - transformers-4.51.3-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/a9/b6/5257d04ae327b44db31f15cce39e6020cc986333c715660b1315a9724d82/transformers-4.51.3-py3-none-any.whl

Path to dependency file: /codegen25/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062157231/env/lib/python3.9/site-packages/transformers-4.51.3.dist-info

Dependency Hierarchy:

  • transformers-4.51.3-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer. The vulnerability arises from the _do_use_weight_decay method, which processes user-controlled regular expressions in the include_in_weight_decay and exclude_from_weight_decay lists. Malicious regular expressions can cause catastrophic backtracking during the re.search call, leading to 100% CPU utilization and a denial of service. This issue can be exploited by attackers who can control the patterns in these lists, potentially causing the machine learning task to hang and rendering services unresponsive.

Publish Date: 2025-09-23

URL: CVE-2025-6921

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4w7r-h757-3r74

Release Date: 2025-09-23

Fix Resolution: 4.53.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2025-6051

Vulnerable Library - transformers-4.51.3-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/a9/b6/5257d04ae327b44db31f15cce39e6020cc986333c715660b1315a9724d82/transformers-4.51.3-py3-none-any.whl

Path to dependency file: /codegen25/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062157231/env/lib/python3.9/site-packages/transformers-4.51.3.dist-info

Dependency Hierarchy:

  • transformers-4.51.3-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the "normalize_numbers()" method of the "EnglishNormalizer" class. This vulnerability affects versions up to 4.52.4 and is fixed in version 4.53.0. The issue arises from the method's handling of numeric strings, which can be exploited using crafted input strings containing long sequences of digits, leading to excessive CPU consumption. This vulnerability impacts text-to-speech and number normalization tasks, potentially causing service disruption, resource exhaustion, and API vulnerabilities.

Publish Date: 2025-09-14

URL: CVE-2025-6051

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-09-14

Fix Resolution: 4.53.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2025-5197

Vulnerable Library - transformers-4.51.3-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/a9/b6/5257d04ae327b44db31f15cce39e6020cc986333c715660b1315a9724d82/transformers-4.51.3-py3-none-any.whl

Path to dependency file: /codegen25/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062157231/env/lib/python3.9/site-packages/transformers-4.51.3.dist-info

Dependency Hierarchy:

  • transformers-4.51.3-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically in the "convert_tf_weight_name_to_pt_weight_name()" function. This function, responsible for converting TensorFlow weight names to PyTorch format, uses a regex pattern "/[^/]___([^/])/" that can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. The vulnerability affects versions up to 4.51.3 and is fixed in version 4.53.0. This issue can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting model conversion processes between TensorFlow and PyTorch formats.

Publish Date: 2025-08-06

URL: CVE-2025-5197

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9356-575x-2w9m

Release Date: 2025-08-06

Fix Resolution: 4.53.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2025-50182

Vulnerable Library - urllib3-2.4.0-py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/6b/11/cc635220681e93a0183390e26485430ca2c7b5f9d33b15c74c2861cb8091/urllib3-2.4.0-py3-none-any.whl

Path to dependency file: /codegen1/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062152011/env/lib/python3.9/site-packages/urllib3-2.4.0.dist-info,/tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062156481/env/lib/python3.9/site-packages/urllib3-2.4.0.dist-info,/tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062157231/env/lib/python3.9/site-packages/urllib3-2.4.0.dist-info

Dependency Hierarchy:

  • transformers-4.51.3-py3-none-any.whl (Root Library)
    • requests-2.32.3-py3-none-any.whl
      • urllib3-2.4.0-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-06-19

URL: CVE-2025-50182

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-06-19

Fix Resolution: urllib3 - 2.5.0,https://github.com/urllib3/urllib3.git - 2.5.0

CVE-2025-50181

Vulnerable Library - urllib3-2.4.0-py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/6b/11/cc635220681e93a0183390e26485430ca2c7b5f9d33b15c74c2861cb8091/urllib3-2.4.0-py3-none-any.whl

Path to dependency file: /codegen1/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062152011/env/lib/python3.9/site-packages/urllib3-2.4.0.dist-info,/tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062156481/env/lib/python3.9/site-packages/urllib3-2.4.0.dist-info,/tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062157231/env/lib/python3.9/site-packages/urllib3-2.4.0.dist-info

Dependency Hierarchy:

  • transformers-4.51.3-py3-none-any.whl (Root Library)
    • requests-2.32.3-py3-none-any.whl
      • urllib3-2.4.0-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.

Publish Date: 2025-06-19

URL: CVE-2025-50181

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-06-19

Fix Resolution (urllib3): 2.5.0

Direct dependency fix Resolution (transformers): 4.52.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2025-3933

Vulnerable Library - transformers-4.51.3-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/a9/b6/5257d04ae327b44db31f15cce39e6020cc986333c715660b1315a9724d82/transformers-4.51.3-py3-none-any.whl

Path to dependency file: /codegen25/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062157231/env/lib/python3.9/site-packages/transformers-4.51.3.dist-info

Dependency Hierarchy:

  • transformers-4.51.3-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's "token2json()" method. This vulnerability affects versions 4.50.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern "<s_(.*?)>" which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-07-11

URL: CVE-2025-3933

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-07-11

Fix Resolution: 4.52.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-47081

Vulnerable Library - requests-2.32.3-py3-none-any.whl

Python HTTP for Humans.

Library home page: https://files.pythonhosted.org/packages/f9/9b/335f9764261e915ed497fcdeb11df5dfd6f7bf257d4a6a2a686d80da4d54/requests-2.32.3-py3-none-any.whl

Path to dependency file: /codegen2/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062156481/env/lib/python3.9/site-packages/requests-2.32.3.dist-info,/tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062152011/env/lib/python3.9/site-packages/requests-2.32.3.dist-info,/tmp/ws-ua_20250506215158_UISJUQ/python_NYUUEN/202505062157231/env/lib/python3.9/site-packages/requests-2.32.3.dist-info

Dependency Hierarchy:

  • transformers-4.51.3-py3-none-any.whl (Root Library)
    • requests-2.32.3-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with "trust_env=False" on one's Requests Session.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-06-09

URL: CVE-2024-47081

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9hjg-9r4m-mvj7

Release Date: 2025-06-09

Fix Resolution (requests): 2.32.4

Direct dependency fix Resolution (transformers): 4.52.1

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions