Skip to content

VEX: draft status for untriaged findings #2285

Description

@github-actions

Summary

Draft not_affected VEX status for 2 untriaged vulnerabilities in transformers@4.57.6 (scripts/evals/moderation), surfaced by issue #2283.

Both findings affect the transformers library bundled with the moderation eval tooling. The vulnerable code paths — Trainer._load_rng_state() and X-CLIP checkpoint conversion — are absent from the moderation code path. Confidence band: High not_affected for both.

Draft only. A CODEOWNERS-required human reviewer must validate the evidence and merge. The merge commit author is the accountable author of record. The detection issue (#2283) is not closed by this PR; it is left for the human reviewer to resolve.

Evidence Checklist

  • Code citations provided (file path and line range for reachability evidence per CVE)
  • Vulnerability details included (CVE ID, advisory URL, CVSS score per CVE)
  • Reachability analysis completed (import path traced, dead code confirmed, or mitigation identified)
  • Licensing compliance verified (data sourced from CC0/public domain sources; GHSA prose not quoted)

CVE Assessments

CVE-2026-1839

VEX Status:

  • not_affected
  • affected
  • under_investigation
  • fixed

Confidence Band:

  • High: not_affected (vulnerable symbol provably unreachable)
  • High: affected (vulnerable symbol on a reachable execution path)
  • Medium (symbol reachable in some configurations but ambiguous)
  • Low (cannot determine reachability)
  • Vendor-disputed (OSV/NVD shows dispute or CVSS < 4.0 with no known exploit)

Impact Statement:

The moderation tooling (scripts/evals/moderation/moderate.py) calls Detoxify(model_name).predict(text) for toxicity classification. The transformers Trainer class, which contains the vulnerable _load_rng_state() method (src/transformers/trainer.py:3059, calling torch.load() without weights_only=True), is never imported or instantiated anywhere in scripts/evals/moderation/. No checkpoint files are loaded via torch.load() in the moderation code path.

Code-citation evidence:

  • scripts/evals/moderation/moderate.py:113–115from detoxify import Detoxify (inference only; no Trainer import)
  • scripts/evals/moderation/pip-audit-known-vulnerabilities.txt:16–19 — prior analyst note confirming non-use of Trainer

Advisory: GHSA-69w3-r845-3855 · CVSS 6.5 (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H) · CWE-502 · Fix: transformers≥5.0.0rc3 (outside the supported <5 constraint)


PYSEC-2025-217 (CVE-2025-14929)

VEX Status:

  • not_affected
  • affected
  • under_investigation
  • fixed

Confidence Band:

  • High: not_affected (vulnerable symbol provably unreachable)
  • High: affected (vulnerable symbol on a reachable execution path)
  • Medium (symbol reachable in some configurations but ambiguous)
  • Low (cannot determine reachability)
  • Vendor-disputed (OSV/NVD shows dispute or CVSS < 4.0 with no known exploit)

Impact Statement:

The moderation tooling uses Detoxify (a BERT-based toxicity classifier) for inference. The X-CLIP video-text multimodal model, whose checkpoint conversion code contains the deserialization vulnerability, is never imported or invoked anywhere in scripts/evals/moderation/. No untrusted checkpoint files are processed by the moderation code.

Code-citation evidence:

  • scripts/evals/moderation/moderate.py:113–115from detoxify import Detoxify (BERT-based inference only; no X-CLIP import)
  • scripts/evals/moderation/pip-audit-known-vulnerabilities.txt:12–15 — prior analyst note confirming no untrusted checkpoint loading

Advisory: https://osv.dev/vulnerability/PYSEC-2025-217 · (www.zerodayinitiative.com/redacted) · CVSS 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) · No fixed release in the 4.x line

Additional Context

Generated by VEX Drafting · 394.2 AIC · ⌖ 39 AIC · ⊞ 35.3K ·


Note

This was originally intended as a pull request, but GitHub Actions is not permitted to create or approve pull requests in this repository.
The changes have been pushed to branch vex/draft-2026-06-30-untriaged-81da5dd47eb21ea6.

Click here to create the pull request

To fix the permissions issue, go to SettingsActionsGeneral and enable Allow GitHub Actions to create and approve pull requests. See also: gh-aw FAQ

Show patch preview (97 of 97 lines)
From 6c52f408d1bf40be3685deec621788e05731502f Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Tue, 30 Jun 2026 16:34:01 +0000
Subject: [PATCH] feat(vex): draft not_affected status for transformers
 CVE-2026-1839 and PYSEC-2025-217
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Both findings affect transformers@4.57.6 in scripts/evals/moderation/.

CVE-2026-1839 (GHSA-69w3-r845-3855): Trainer._load_rng_state() calls
torch.load() without weights_only=True. The moderation tooling uses
Detoxify for inference only; the Trainer class is never imported or
instantiated anywhere in scripts/evals/moderation/.

PYSEC-2025-217 (CVE-2025-14929): RCE via X-CLIP checkpoint conversion
deserialization. The moderation tooling uses a BERT-based Detoxify
classifier; no X-CLIP symbol or checkpoint conversion code appears in
scripts/evals/moderation/.

Both statements carry justification: vulnerable_code_not_in_execute_path,
confidence band: High not_affected. Document mutation: version 2->3,
last_updated set to 2026-06-30T16:29:28Z, @id updated.

Fixes: #2283 (detection issue — for human reviewer to close after merge)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 security/vex/hve-core.openvex.json | 50 ++++++++++++++++++++++++++++--
 1 file changed, 47 insertions(+), 3 deletions(-)

diff --git a/security/vex/hve-core.openvex.json b/security/vex/hve-core.openvex.json
index 60dfd4c..351ac52 100644
--- a/security/vex/hve-core.openvex.json
+++ b/security/vex/hve-core.openvex.json
@@ -1,9 +1,53 @@
 {
   "@context": "https://openvex.dev/ns/v0.2.0",
-  "@id": "https://github.com/microsoft/hve-core/security/vex/2026-06-19",
+  "@id": "https://github.com/microsoft/hve-core/security/vex/2026-06-30",
   "author": "Microsoft HVE Core Maintainers",
   "timestamp": "2026-06-19T00:00:00Z",
-  "version": 2,
+  "last_updated": "2026-06-30T16:29:28Z",
+  "version": 3,
   "too
... (truncated)

Metadata

Metadata

Assignees

No one assigned

    Labels

    agentic-workflowsautomatedIssues and PRs created or updated by automationneeds-triageRequires triage and prioritizationsecuritySecurity-related changes or concerns

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions