CVE-2025-3777

{"id": "CVE-2025-3777", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.1}]}, "published": "2025-07-07T10:15:28.297", "references": [{"url": "https://github.com/huggingface/transformers/commit/4dda5f71b35fb70cf602187eef84bb17a50b9082", "tags": ["Patch"], "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/ccba0730-9248-4853-b7ff-5c20e6364f09", "tags": ["Exploit", "Third Party Advisory"], "source": "security@huntr.dev"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image_utils.py` file. The vulnerability arises from insecure URL validation using the `startswith()` method, which can be bypassed through URL username injection. This allows attackers to craft URLs that appear to be from YouTube but resolve to malicious domains, potentially leading to phishing attacks, malware distribution, or data exfiltration. The issue is fixed in version 4.52.1."}, {"lang": "es", "value": "Las versiones de Hugging Face Transformers hasta la 4.49.0 se ven afectadas por una vulnerabilidad de validaci\u00f3n de entrada incorrecta en el archivo `image_utils.py`. Esta vulnerabilidad se debe a una validaci\u00f3n de URL insegura mediante el m\u00e9todo `startswith()`, que puede eludirse mediante la inyecci\u00f3n de nombres de usuario en la URL. Esto permite a los atacantes manipular URL que parecen provenir de YouTube, pero que redirigen a dominios maliciosos, lo que podr\u00eda provocar ataques de phishing, distribuci\u00f3n de malware o exfiltraci\u00f3n de datos. El problema se ha corregido en la versi\u00f3n 4.52.1."}], "lastModified": "2025-08-07T00:54:16.957", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:huggingface:transformers:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "603CA36F-1ABE-4950-8FC3-CCB444106044", "versionEndExcluding": "4.52.1"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}