Command Injection Affecting transformers package, versions [,4.37.0)
Snyk CVSS
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-TRANSFORMERS-6220003
- published 1 Feb 2024
- disclosed 1 Feb 2024
- credit Unknown
How to fix?
Upgrade transformers to version 4.37.0 or higher.
Overview
transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow
Affected versions of this package are vulnerable to Command Injection via the subprocess.Popen calls. This could potentially allow for the execution of arbitrary code.
Note: It appears that while this issue is generally not critical for the library's primary use cases, it can become more significant in specific production environments. Particularly in scenarios where the library interacts with user-generated input, such as in web application backends, desktop applications, and cloud-based ML services, the risk of arbitrary code execution increases.