You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Drafts not_affected VEX status for two untriaged transformers@4.57.6 vulnerabilities surfaced in issue #2283. Both findings are transitive — transformers is pulled in by detoxify==0.5.2, which is used by the hve-core-moderation eval script for CPU-only toxicity inference.
2 CVEs analyzed. Both drafted as not_affected (High confidence) based on codebase reachability analysis and corroborating evidence in scripts/evals/moderation/pip-audit-known-vulnerabilities.txt. No affected findings requiring immediate action.
Evidence Checklist
Code citations provided (file path and line range for reachability evidence per CVE)
Vulnerability details included (CVE ID, advisory URL, CVSS score per CVE)
Reachability analysis completed (import path traced, dead code confirmed, or mitigation identified)
Licensing compliance verified (data sourced from CC0/public domain sources; GHSA prose not quoted)
The vulnerable symbol is Trainer._load_rng_state() in src/transformers/trainer.py:3059, which calls torch.load() without weights_only=True on a checkpoint file. Exploitation requires supplying a malicious .pth checkpoint to the Trainer's checkpoint resume path.
moderate.py uses Detoxify exclusively for inference (scripts/evals/moderation/moderate.py, lines 113–118):
Detoxify.predict() performs tokenization and forward-pass inference using AutoTokenizer / AutoModelForSequenceClassification from transformers. It does not instantiate Trainer, resume from checkpoints, or call _load_rng_state(). The Trainer class is not imported anywhere in the scripts/evals/moderation/ tree.
Code-citation evidence:
scripts/evals/moderation/moderate.py lines 113–118 — only Detoxify is imported and invoked; Trainer is absent.
scripts/evals/moderation/pip-audit-known-vulnerabilities.txt — maintainer-documented: "The moderation tooling does not use the Trainer class."
Impact Statement: The hve-core moderation tooling uses the transformers library exclusively through the Detoxify inference API for toxicity classification. The Trainer class and its _load_rng_state() method are not instantiated or invoked in any reachable code path.
The vulnerable symbol is the X-CLIP checkpoint conversion function in the transformers library. Exploitation requires a user to open a malicious checkpoint file via the X-CLIP conversion script (user interaction required, per the advisory).
moderate.py uses only Detoxify toxicity classification models (original, unbiased, multilingual variants — all BERT-based toxicity classifiers). X-CLIP is a video-text model entirely unrelated to toxicity classification. The X-CLIP checkpoint conversion function:
is not auto-imported when import transformers or from detoxify import Detoxify is called,
is not invoked by Detoxify.predict() or any of its internal transformers calls,
requires an explicit user-initiated call to the conversion script, which is absent from the entire scripts/evals/moderation/ tree.
Code-citation evidence:
scripts/evals/moderation/moderate.py lines 113–118 — only Detoxify is imported; no X-CLIP or checkpoint conversion reference exists anywhere in the tree.
scripts/evals/moderation/pip-audit-known-vulnerabilities.txt — maintainer-documented: "The moderation tooling never converts untrusted checkpoints."
Impact Statement: The hve-core moderation tooling uses the transformers library exclusively through the Detoxify toxicity classifier inference path. The X-CLIP model checkpoint conversion function is not accessible from the moderation code path; no untrusted checkpoints are loaded.
Fix availability: CVE-2026-1839 fixed in transformers>=5.0.0rc3 (outside the <5 constraint); CVE-2025-14929 has no fix in the 4.x line. Both are moot for this codebase given confirmed non-reachability.
Caution
This PR is an AI-drafted triage. Every not_affected determination must be independently validated by a CODEOWNERS-required human reviewer before merging. The merge commit author is the accountable author of record. This output does not constitute security approval or compliance sign-off.
Reviewed and validated by a qualified human reviewer
This was originally intended as a pull request, but GitHub Actions is not permitted to create or approve pull requests in this repository.
The changes have been pushed to branch vex/draft-2026-06-30-untriaged-7de21a61989874ad.
To fix the permissions issue, go to Settings → Actions → General and enable Allow GitHub Actions to create and approve pull requests. See also: gh-aw FAQ
Show patch preview (91 of 91 lines)
From 86b343abaaf1613f6b4fa6623812d3a8690680fc Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Tue, 30 Jun 2026 19:01:39 +0000
Subject: [PATCH] fix(security): draft VEX not_affected for transformers
CVE-2026-1839 and CVE-2025-14929
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Both CVEs affect the transformers package (v4.57.6) pulled in as a transitive
dependency of detoxify in scripts/evals/moderation/.
CVE-2026-1839 (GHSA-69w3-r845-3855): Trainer._load_rng_state() calls
torch.load() without weights_only=True. The moderation tooling uses only the
Detoxify inference API; the Trainer class is never instantiated or invoked.
CVE-2025-14929 (PYSEC-2025-217): X-CLIP checkpoint conversion deserializes
untrusted data. The moderation tooling uses Detoxify toxicity classification
models only; the X-CLIP conversion function is not on any reachable code path.
Bumps document version 2 → 3, sets last_updated to 2026-06-30, regenerates
@id. Existing statements preserved (none were present).
Closes #2283 (pending human review and merge)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
security/vex/hve-core.openvex.json | 46 ++++++++++++++++++++++++++++--
1 file changed, 43 insertions(+), 3 deletions(-)
diff --git a/security/vex/hve-core.openvex.json b/security/vex/hve-core.openvex.json
index 60dfd4c..4341ddc 100644
--- a/security/vex/hve-core.openvex.json+++ b/security/vex/hve-core.openvex.json@@ -1,9 +1,49 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
- "@id": "https://github.com/microsoft/hve-core/security/vex/2026-06-19",+ "@id": "https://github.com/microsoft/hve-core/security/vex/2026-06-30",
"author": "Microsoft HVE Core Maintainers",
"timestamp": "2026-06-19T00:00:00Z",
- "version": 2,+ "last_updated": "2026-06-30T18:58:15Z",+ "version": 3,
"tooling": "Maintained via the hve-core VEX Generator agent (AI-assisted dr
... (truncated)
Drafts
not_affectedVEX status for two untriagedtransformers@4.57.6vulnerabilities surfaced in issue #2283. Both findings are transitive —transformersis pulled in bydetoxify==0.5.2, which is used by thehve-core-moderationeval script for CPU-only toxicity inference.Closes #2283 (pending human review and merge).
Summary
2 CVEs analyzed. Both drafted as
not_affected(High confidence) based on codebase reachability analysis and corroborating evidence inscripts/evals/moderation/pip-audit-known-vulnerabilities.txt. Noaffectedfindings requiring immediate action.Evidence Checklist
CVE Assessments
CVE-2026-1839
Aliases: GHSA-69w3-r845-3855
Package:
transformers@4.57.6(transitive viadetoxify==0.5.2)CVSS: 7.1 (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H) — MODERATE
Advisory: ((nvd.nist.gov/redacted)
VEX Status:
not_affectedaffectedunder_investigationfixedConfidence Band:
Drafted status:
not_affected—vulnerable_code_not_in_execute_pathDrafted confidence: High: not_affected
Reachability analysis:
The vulnerable symbol is
Trainer._load_rng_state()insrc/transformers/trainer.py:3059, which callstorch.load()withoutweights_only=Trueon a checkpoint file. Exploitation requires supplying a malicious.pthcheckpoint to the Trainer's checkpoint resume path.moderate.pyusesDetoxifyexclusively for inference (scripts/evals/moderation/moderate.py, lines 113–118):Detoxify.predict()performs tokenization and forward-pass inference usingAutoTokenizer/AutoModelForSequenceClassificationfrom transformers. It does not instantiateTrainer, resume from checkpoints, or call_load_rng_state(). TheTrainerclass is not imported anywhere in thescripts/evals/moderation/tree.Code-citation evidence:
scripts/evals/moderation/moderate.pylines 113–118 — onlyDetoxifyis imported and invoked;Traineris absent.scripts/evals/moderation/pip-audit-known-vulnerabilities.txt— maintainer-documented: "The moderation tooling does not use the Trainer class."Impact Statement: The hve-core moderation tooling uses the transformers library exclusively through the Detoxify inference API for toxicity classification. The
Trainerclass and its_load_rng_state()method are not instantiated or invoked in any reachable code path.CVE-2025-14929
Aliases: PYSEC-2025-217
Package:
transformers@4.57.6(transitive viadetoxify==0.5.2)CVSS: 7.8 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) — HIGH
Advisory: ((www.zerodayinitiative.com/redacted)
VEX Status:
not_affectedaffectedunder_investigationfixedConfidence Band:
Drafted status:
not_affected—vulnerable_code_not_in_execute_pathDrafted confidence: High: not_affected
Reachability analysis:
The vulnerable symbol is the X-CLIP checkpoint conversion function in the transformers library. Exploitation requires a user to open a malicious checkpoint file via the X-CLIP conversion script (user interaction required, per the advisory).
moderate.pyuses only Detoxify toxicity classification models (original,unbiased,multilingualvariants — all BERT-based toxicity classifiers). X-CLIP is a video-text model entirely unrelated to toxicity classification. The X-CLIP checkpoint conversion function:import transformersorfrom detoxify import Detoxifyis called,Detoxify.predict()or any of its internal transformers calls,scripts/evals/moderation/tree.Code-citation evidence:
scripts/evals/moderation/moderate.pylines 113–118 — onlyDetoxifyis imported; no X-CLIP or checkpoint conversion reference exists anywhere in the tree.scripts/evals/moderation/pip-audit-known-vulnerabilities.txt— maintainer-documented: "The moderation tooling never converts untrusted checkpoints."Impact Statement: The hve-core moderation tooling uses the transformers library exclusively through the Detoxify toxicity classifier inference path. The X-CLIP model checkpoint conversion function is not accessible from the moderation code path; no untrusted checkpoints are loaded.
Additional Context
security/vex/hve-core.openvex.json(version 2 → 3,last_updatedset to 2026-06-30T18:58:15Z,@idregenerated)scripts/evals/moderation/pip-audit-known-vulnerabilities.txttransformers>=5.0.0rc3(outside the<5constraint); CVE-2025-14929 has no fix in the 4.x line. Both are moot for this codebase given confirmed non-reachability.Caution
This PR is an AI-drafted triage. Every
not_affecteddetermination must be independently validated by a CODEOWNERS-required human reviewer before merging. The merge commit author is the accountable author of record. This output does not constitute security approval or compliance sign-off.Note
This was originally intended as a pull request, but GitHub Actions is not permitted to create or approve pull requests in this repository.
The changes have been pushed to branch
vex/draft-2026-06-30-untriaged-7de21a61989874ad.Click here to create the pull request
To fix the permissions issue, go to Settings → Actions → General and enable Allow GitHub Actions to create and approve pull requests. See also: gh-aw FAQ
Show patch preview (91 of 91 lines)