“The malicious field uses an underscore-prefixed name that looks like an internal implementation detail — the kind of field that config files are full of,” researchers from Pluto Security who found the vulnerability said in their report. “There are no runtime warnings, no consent prompts, no unusual log entries.”
The Hugging Face Transformers library allows Python developers to deploy over 1 million machine learning model variants hosted on Hugging Face on their local hardware or cloud instances. It is used in many enterprise environments and CI/CD pipelines to test models pre-trained for various tasks and to fine-tune them with proprietary data.
The Hugging Face Transformers PyPI package is downloaded over 146 million times per month and has a total of 2.2 billion installs to date. The project is also one of the highest-rated repositories on GitHub with 161K+ stars, so the blast radius of a remote code execution (RCE) vulnerability is huge.
This previously undisclosed flaw, now tracked as CVE-2026-4372, was silently patched in Transformers 5.3.0, which was released on March 3, but it impacts all versions released since August starting with 4.56.0. Vulnerable versions continue to be downloaded 7 to 8 million times per week and account for around a fourth of weekly installations.
