{"data":{"id":"df5fd5d8-3d58-43fe-aece-958a657e849f","title":"CVE-2025-3777: Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image","summary":"Hugging Face Transformers versions up to 4.49.0 have a vulnerability in the `image_utils.py` file where URL validation (checking if a URL starts with certain text) can be tricked through URL username injection (adding fake credentials to a URL). Attackers can create fake URLs that look like they're from YouTube but actually point to malicious sites, risking phishing attacks, malware, or stolen data.","solution":"The issue is fixed in version 4.52.1. Update Hugging Face Transformers to version 4.52.1 or later.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2025-3777","publishedAt":"2025-07-07T14:15:28.297Z","cveId":"CVE-2025-3777","cweIds":["CWE-20"],"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["Hugging Face","Transformers"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00016,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}