You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Draft not_affected VEX status for 2 untriaged vulnerabilities in transformers@4.57.6 (scripts/evals/moderation), surfaced by issue #2283.
Both findings affect the transformers library bundled with the moderation eval tooling. The vulnerable code paths — Trainer._load_rng_state() and X-CLIP checkpoint conversion — are absent from the moderation code path. Confidence band: High not_affected for both.
Draft only. A CODEOWNERS-required human reviewer must validate the evidence and merge. The merge commit author is the accountable author of record. The detection issue (#2283) is not closed by this PR; it is left for the human reviewer to resolve.
Evidence Checklist
Code citations provided (file path and line range for reachability evidence per CVE)
Vulnerability details included (CVE ID, advisory URL, CVSS score per CVE)
Reachability analysis completed (import path traced, dead code confirmed, or mitigation identified)
Licensing compliance verified (data sourced from CC0/public domain sources; GHSA prose not quoted)
High: not_affected (vulnerable symbol provably unreachable)
High: affected (vulnerable symbol on a reachable execution path)
Medium (symbol reachable in some configurations but ambiguous)
Low (cannot determine reachability)
Vendor-disputed (OSV/NVD shows dispute or CVSS < 4.0 with no known exploit)
Impact Statement:
The moderation tooling (scripts/evals/moderation/moderate.py) calls Detoxify(model_name).predict(text) for toxicity classification. The transformers Trainer class, which contains the vulnerable _load_rng_state() method (src/transformers/trainer.py:3059, calling torch.load() without weights_only=True), is never imported or instantiated anywhere in scripts/evals/moderation/. No checkpoint files are loaded via torch.load() in the moderation code path.
Code-citation evidence:
scripts/evals/moderation/moderate.py:113–115 — from detoxify import Detoxify (inference only; no Trainer import)
scripts/evals/moderation/pip-audit-known-vulnerabilities.txt:16–19 — prior analyst note confirming non-use of Trainer
High: not_affected (vulnerable symbol provably unreachable)
High: affected (vulnerable symbol on a reachable execution path)
Medium (symbol reachable in some configurations but ambiguous)
Low (cannot determine reachability)
Vendor-disputed (OSV/NVD shows dispute or CVSS < 4.0 with no known exploit)
Impact Statement:
The moderation tooling uses Detoxify (a BERT-based toxicity classifier) for inference. The X-CLIP video-text multimodal model, whose checkpoint conversion code contains the deserialization vulnerability, is never imported or invoked anywhere in scripts/evals/moderation/. No untrusted checkpoint files are processed by the moderation code.
Code-citation evidence:
scripts/evals/moderation/moderate.py:113–115 — from detoxify import Detoxify (BERT-based inference only; no X-CLIP import)
scripts/evals/moderation/pip-audit-known-vulnerabilities.txt:12–15 — prior analyst note confirming no untrusted checkpoint loading
This was originally intended as a pull request, but GitHub Actions is not permitted to create or approve pull requests in this repository.
The changes have been pushed to branch vex/draft-2026-06-30-untriaged-81da5dd47eb21ea6.
To fix the permissions issue, go to Settings → Actions → General and enable Allow GitHub Actions to create and approve pull requests. See also: gh-aw FAQ
Show patch preview (97 of 97 lines)
From 6c52f408d1bf40be3685deec621788e05731502f Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Tue, 30 Jun 2026 16:34:01 +0000
Subject: [PATCH] feat(vex): draft not_affected status for transformers
CVE-2026-1839 and PYSEC-2025-217
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Both findings affect transformers@4.57.6 in scripts/evals/moderation/.
CVE-2026-1839 (GHSA-69w3-r845-3855): Trainer._load_rng_state() calls
torch.load() without weights_only=True. The moderation tooling uses
Detoxify for inference only; the Trainer class is never imported or
instantiated anywhere in scripts/evals/moderation/.
PYSEC-2025-217 (CVE-2025-14929): RCE via X-CLIP checkpoint conversion
deserialization. The moderation tooling uses a BERT-based Detoxify
classifier; no X-CLIP symbol or checkpoint conversion code appears in
scripts/evals/moderation/.
Both statements carry justification: vulnerable_code_not_in_execute_path,
confidence band: High not_affected. Document mutation: version 2->3,
last_updated set to 2026-06-30T16:29:28Z, @id updated.
Fixes: #2283 (detection issue — for human reviewer to close after merge)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
security/vex/hve-core.openvex.json | 50 ++++++++++++++++++++++++++++--
1 file changed, 47 insertions(+), 3 deletions(-)
diff --git a/security/vex/hve-core.openvex.json b/security/vex/hve-core.openvex.json
index 60dfd4c..351ac52 100644
--- a/security/vex/hve-core.openvex.json+++ b/security/vex/hve-core.openvex.json@@ -1,9 +1,53 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
- "@id": "https://github.com/microsoft/hve-core/security/vex/2026-06-19",+ "@id": "https://github.com/microsoft/hve-core/security/vex/2026-06-30",
"author": "Microsoft HVE Core Maintainers",
"timestamp": "2026-06-19T00:00:00Z",
- "version": 2,+ "last_updated": "2026-06-30T16:29:28Z",+ "version": 3,
"too
... (truncated)
Summary
Draft
not_affectedVEX status for 2 untriaged vulnerabilities intransformers@4.57.6(scripts/evals/moderation), surfaced by issue #2283.Both findings affect the
transformerslibrary bundled with the moderation eval tooling. The vulnerable code paths —Trainer._load_rng_state()and X-CLIP checkpoint conversion — are absent from the moderation code path. Confidence band: High not_affected for both.Evidence Checklist
CVE Assessments
CVE-2026-1839
VEX Status:
not_affectedaffectedunder_investigationfixedConfidence Band:
Impact Statement:
The moderation tooling (
scripts/evals/moderation/moderate.py) callsDetoxify(model_name).predict(text)for toxicity classification. The transformersTrainerclass, which contains the vulnerable_load_rng_state()method (src/transformers/trainer.py:3059, callingtorch.load()withoutweights_only=True), is never imported or instantiated anywhere inscripts/evals/moderation/. No checkpoint files are loaded viatorch.load()in the moderation code path.Code-citation evidence:
scripts/evals/moderation/moderate.py:113–115—from detoxify import Detoxify(inference only; no Trainer import)scripts/evals/moderation/pip-audit-known-vulnerabilities.txt:16–19— prior analyst note confirming non-use of TrainerAdvisory: GHSA-69w3-r845-3855 · CVSS 6.5 (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H) · CWE-502 · Fix: transformers≥5.0.0rc3 (outside the supported
<5constraint)PYSEC-2025-217 (CVE-2025-14929)
VEX Status:
not_affectedaffectedunder_investigationfixedConfidence Band:
Impact Statement:
The moderation tooling uses
Detoxify(a BERT-based toxicity classifier) for inference. The X-CLIP video-text multimodal model, whose checkpoint conversion code contains the deserialization vulnerability, is never imported or invoked anywhere inscripts/evals/moderation/. No untrusted checkpoint files are processed by the moderation code.Code-citation evidence:
scripts/evals/moderation/moderate.py:113–115—from detoxify import Detoxify(BERT-based inference only; no X-CLIP import)scripts/evals/moderation/pip-audit-known-vulnerabilities.txt:12–15— prior analyst note confirming no untrusted checkpoint loadingAdvisory: https://osv.dev/vulnerability/PYSEC-2025-217 · (www.zerodayinitiative.com/redacted) · CVSS 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) · No fixed release in the 4.x line
Additional Context
security/vex/hve-core.openvex.json(version 2 → 3,last_updatedset to 2026-06-30T16:29:28Z,@idupdated to.../2026-06-30)Note
This was originally intended as a pull request, but GitHub Actions is not permitted to create or approve pull requests in this repository.
The changes have been pushed to branch
vex/draft-2026-06-30-untriaged-81da5dd47eb21ea6.Click here to create the pull request
To fix the permissions issue, go to Settings → Actions → General and enable Allow GitHub Actions to create and approve pull requests. See also: gh-aw FAQ
Show patch preview (97 of 97 lines)