CVE-2025-3777: Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image
highvulnerability
security
Summary
Hugging Face Transformers versions up to 4.49.0 have a vulnerability in the `image_utils.py` file where URL validation (checking if a URL starts with certain text) can be tricked through URL username injection (adding fake credentials to a URL). Attackers can create fake URLs that look like they're from YouTube but actually point to malicious sites, risking phishing attacks, malware, or stolen data.
Solution / Mitigation
The issue is fixed in version 4.52.1. Update Hugging Face Transformers to version 4.52.1 or later.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Taxonomy References
CWE (Weakness Type)
Affected Vendors
HuggingFace
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-3777
First tracked: February 15, 2026 at 08:46 PM
Classified by LLM (prompt v3) · confidence: 95%