Skip to content

VEX: draft status for untriaged findings #2298

Description

@github-actions

Drafts not_affected VEX status for two untriaged transformers@4.57.6 vulnerabilities surfaced in issue #2283. Both findings are transitive — transformers is pulled in by detoxify==0.5.2, which is used by the hve-core-moderation eval script for CPU-only toxicity inference.

Closes #2283 (pending human review and merge).


Summary

2 CVEs analyzed. Both drafted as not_affected (High confidence) based on codebase reachability analysis and corroborating evidence in scripts/evals/moderation/pip-audit-known-vulnerabilities.txt. No affected findings requiring immediate action.

Evidence Checklist

  • Code citations provided (file path and line range for reachability evidence per CVE)
  • Vulnerability details included (CVE ID, advisory URL, CVSS score per CVE)
  • Reachability analysis completed (import path traced, dead code confirmed, or mitigation identified)
  • Licensing compliance verified (data sourced from CC0/public domain sources; GHSA prose not quoted)

CVE Assessments

CVE-2026-1839

Aliases: GHSA-69w3-r845-3855
Package: transformers@4.57.6 (transitive via detoxify==0.5.2)
CVSS: 7.1 (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H) — MODERATE
Advisory: ((nvd.nist.gov/redacted)

VEX Status:

  • not_affected
  • affected
  • under_investigation
  • fixed

Confidence Band:

  • High: not_affected (vulnerable symbol provably unreachable)
  • High: affected (vulnerable symbol on a reachable execution path)
  • Medium (symbol reachable in some configurations but ambiguous)
  • Low (cannot determine reachability)
  • Vendor-disputed (OSV/NVD shows dispute or CVSS < 4.0 with no known exploit)

Drafted status: not_affectedvulnerable_code_not_in_execute_path
Drafted confidence: High: not_affected

Reachability analysis:

The vulnerable symbol is Trainer._load_rng_state() in src/transformers/trainer.py:3059, which calls torch.load() without weights_only=True on a checkpoint file. Exploitation requires supplying a malicious .pth checkpoint to the Trainer's checkpoint resume path.

moderate.py uses Detoxify exclusively for inference (scripts/evals/moderation/moderate.py, lines 113–118):

from detoxify import Detoxify
...
model = Detoxify(model_name)
scores = model.predict(text)

Detoxify.predict() performs tokenization and forward-pass inference using AutoTokenizer / AutoModelForSequenceClassification from transformers. It does not instantiate Trainer, resume from checkpoints, or call _load_rng_state(). The Trainer class is not imported anywhere in the scripts/evals/moderation/ tree.

Code-citation evidence:

  • scripts/evals/moderation/moderate.py lines 113–118 — only Detoxify is imported and invoked; Trainer is absent.
  • scripts/evals/moderation/pip-audit-known-vulnerabilities.txt — maintainer-documented: "The moderation tooling does not use the Trainer class."

Impact Statement: The hve-core moderation tooling uses the transformers library exclusively through the Detoxify inference API for toxicity classification. The Trainer class and its _load_rng_state() method are not instantiated or invoked in any reachable code path.


CVE-2025-14929

Aliases: PYSEC-2025-217
Package: transformers@4.57.6 (transitive via detoxify==0.5.2)
CVSS: 7.8 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) — HIGH
Advisory: ((www.zerodayinitiative.com/redacted)

VEX Status:

  • not_affected
  • affected
  • under_investigation
  • fixed

Confidence Band:

  • High: not_affected (vulnerable symbol provably unreachable)
  • High: affected (vulnerable symbol on a reachable execution path)
  • Medium (symbol reachable in some configurations but ambiguous)
  • Low (cannot determine reachability)
  • Vendor-disputed (OSV/NVD shows dispute or CVSS < 4.0 with no known exploit)

Drafted status: not_affectedvulnerable_code_not_in_execute_path
Drafted confidence: High: not_affected

Reachability analysis:

The vulnerable symbol is the X-CLIP checkpoint conversion function in the transformers library. Exploitation requires a user to open a malicious checkpoint file via the X-CLIP conversion script (user interaction required, per the advisory).

moderate.py uses only Detoxify toxicity classification models (original, unbiased, multilingual variants — all BERT-based toxicity classifiers). X-CLIP is a video-text model entirely unrelated to toxicity classification. The X-CLIP checkpoint conversion function:

  • is not auto-imported when import transformers or from detoxify import Detoxify is called,
  • is not invoked by Detoxify.predict() or any of its internal transformers calls,
  • requires an explicit user-initiated call to the conversion script, which is absent from the entire scripts/evals/moderation/ tree.

Code-citation evidence:

  • scripts/evals/moderation/moderate.py lines 113–118 — only Detoxify is imported; no X-CLIP or checkpoint conversion reference exists anywhere in the tree.
  • scripts/evals/moderation/pip-audit-known-vulnerabilities.txt — maintainer-documented: "The moderation tooling never converts untrusted checkpoints."

Impact Statement: The hve-core moderation tooling uses the transformers library exclusively through the Detoxify toxicity classifier inference path. The X-CLIP model checkpoint conversion function is not accessible from the moderation code path; no untrusted checkpoints are loaded.


Additional Context

  • Detection issue: VEX detection: untriaged vulnerabilities found #2283
  • VEX document updated: security/vex/hve-core.openvex.json (version 2 → 3, last_updated set to 2026-06-30T18:58:15Z, @id regenerated)
  • Corroborating analysis: scripts/evals/moderation/pip-audit-known-vulnerabilities.txt
  • Fix availability: CVE-2026-1839 fixed in transformers>=5.0.0rc3 (outside the <5 constraint); CVE-2025-14929 has no fix in the 4.x line. Both are moot for this codebase given confirmed non-reachability.

Caution

This PR is an AI-drafted triage. Every not_affected determination must be independently validated by a CODEOWNERS-required human reviewer before merging. The merge commit author is the accountable author of record. This output does not constitute security approval or compliance sign-off.

  • Reviewed and validated by a qualified human reviewer

Generated by VEX Drafting · 332.6 AIC · ⌖ 125.1 AIC · ⊞ 35.3K ·


Note

This was originally intended as a pull request, but GitHub Actions is not permitted to create or approve pull requests in this repository.
The changes have been pushed to branch vex/draft-2026-06-30-untriaged-7de21a61989874ad.

Click here to create the pull request

To fix the permissions issue, go to SettingsActionsGeneral and enable Allow GitHub Actions to create and approve pull requests. See also: gh-aw FAQ

Show patch preview (91 of 91 lines)
From 86b343abaaf1613f6b4fa6623812d3a8690680fc Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Tue, 30 Jun 2026 19:01:39 +0000
Subject: [PATCH] fix(security): draft VEX not_affected for transformers
 CVE-2026-1839 and CVE-2025-14929
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Both CVEs affect the transformers package (v4.57.6) pulled in as a transitive
dependency of detoxify in scripts/evals/moderation/.

CVE-2026-1839 (GHSA-69w3-r845-3855): Trainer._load_rng_state() calls
torch.load() without weights_only=True. The moderation tooling uses only the
Detoxify inference API; the Trainer class is never instantiated or invoked.

CVE-2025-14929 (PYSEC-2025-217): X-CLIP checkpoint conversion deserializes
untrusted data. The moderation tooling uses Detoxify toxicity classification
models only; the X-CLIP conversion function is not on any reachable code path.

Bumps document version 2 → 3, sets last_updated to 2026-06-30, regenerates
@id. Existing statements preserved (none were present).

Closes #2283 (pending human review and merge)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 security/vex/hve-core.openvex.json | 46 ++++++++++++++++++++++++++++--
 1 file changed, 43 insertions(+), 3 deletions(-)

diff --git a/security/vex/hve-core.openvex.json b/security/vex/hve-core.openvex.json
index 60dfd4c..4341ddc 100644
--- a/security/vex/hve-core.openvex.json
+++ b/security/vex/hve-core.openvex.json
@@ -1,9 +1,49 @@
 {
   "@context": "https://openvex.dev/ns/v0.2.0",
-  "@id": "https://github.com/microsoft/hve-core/security/vex/2026-06-19",
+  "@id": "https://github.com/microsoft/hve-core/security/vex/2026-06-30",
   "author": "Microsoft HVE Core Maintainers",
   "timestamp": "2026-06-19T00:00:00Z",
-  "version": 2,
+  "last_updated": "2026-06-30T18:58:15Z",
+  "version": 3,
   "tooling": "Maintained via the hve-core VEX Generator agent (AI-assisted dr
... (truncated)

Metadata

Metadata

Assignees

No one assigned

    Labels

    agentic-workflowsautomatedIssues and PRs created or updated by automationneeds-triageRequires triage and prioritizationsecuritySecurity-related changes or concerns

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions