Skip to content

VEX: draft status for untriaged findings #2299

Description

@github-actions

Drafts not_affected VEX status for 2 untriaged transformers@4.57.6 vulnerabilities detected in scripts/evals/moderation (closes-related: #2283). Both determinations are High confidence and require independent human validation before merge. The merge commit author is the accountable author of record.

Caution

This PR is an AI-assisted draft only. Every not_affected determination must be independently validated by a CODEOWNERS-required human reviewer before merging. This output does not constitute security approval or compliance sign-off.

Summary

Two vulnerabilities in transformers@4.57.6 (a dependency of hve-core-moderation@1.0.0 via detoxify==0.5.2) were triaged against the scripts/evals/moderation/moderate.py code path. Both affect checkpoint-loading or training code paths that the moderation tooling — which is inference-only and uses the Detoxify API exclusively — does not reach.

CVE Alias CVSS Drafted Status Confidence
CVE-2026-1839 GHSA-69w3-r845-3855 6.5 (AV:L/AC:H/PR:N/UI:R) not_affected High
PYSEC-2025-217 CVE-2025-14929 7.8 (AV:L/AC:L/PR:N/UI:R) not_affected High

Evidence Checklist

  • Code citations provided (file path and line range for reachability evidence per CVE)
  • Vulnerability details included (CVE ID, advisory URL, CVSS score per CVE)
  • Reachability analysis completed (import path traced, dead code confirmed, or mitigation identified)
  • Licensing compliance verified (data sourced from CC0/public domain sources; GHSA prose not quoted)

CVE Assessments

CVE-2026-1839

VEX Status:

  • not_affected
  • affected
  • under_investigation
  • fixed

Confidence Band:

  • High: not_affected (vulnerable symbol provably unreachable)
  • High: affected (vulnerable symbol on a reachable execution path)
  • Medium (symbol reachable in some configurations but ambiguous)
  • Low (cannot determine reachability)
  • Vendor-disputed (OSV/NVD shows dispute or CVSS < 4.0 with no known exploit)

Drafted Status: not_affectedvulnerable_code_not_in_execute_path
Drafted Confidence Band: High: not_affected

Advisory: GHSA-69w3-r845-3855
CVSS: 6.5 — CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H
CWE: CWE-502 (Deserialization of Untrusted Data)
Vulnerable symbol: Trainer._load_rng_state() in src/transformers/trainer.py:3059
Attack surface: Requires calling Trainer during a training run with a malicious rng_state.pth checkpoint supplied by an attacker.
Fix available: transformers >= 5.0.0rc3 (outside the <5 constraint in pyproject.toml)

Reachability analysis:
scripts/evals/moderation/moderate.py is the sole entry point. Its complete import and execution path:

  • Line 113: from detoxify import Detoxify — imports Detoxify's inference wrapper only
  • Line 118: model = Detoxify(model_name) — instantiates a pretrained toxicity classifier
  • Line 126: scores = model.predict(text) — calls inference; no training code is invoked

No import of transformers.Trainer or any transformers.trainer module exists in moderate.py or in detoxify==0.5.2's published API. The Trainer class is exclusively a fine-tuning/training utility and is not part of the inference stack used by Detoxify. scripts/evals/moderation/pip-audit-known-vulnerabilities.txt:18 independently confirms: "The moderation tooling does not use the Trainer class."

Impact Statement:
The vulnerable symbol Trainer._load_rng_state() is not reachable from the moderation tooling. No training or checkpoint-loading is performed; the tool is inference-only.


PYSEC-2025-217

VEX Status:

  • not_affected
  • affected
  • under_investigation
  • fixed

Confidence Band:

  • High: not_affected (vulnerable symbol provably unreachable)
  • High: affected (vulnerable symbol on a reachable execution path)
  • Medium (symbol reachable in some configurations but ambiguous)
  • Low (cannot determine reachability)
  • Vendor-disputed (OSV/NVD shows dispute or CVSS < 4.0 with no known exploit)

Drafted Status: not_affectedvulnerable_code_not_in_execute_path
Drafted Confidence Band: High: not_affected

Advisory: (www.zerodayinitiative.com/redacted)
CVSS: 7.8 — CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Vulnerable symbol: X-CLIP checkpoint conversion deserialization (ZDI-CAN-28308)
Attack surface: Requires the user to open a malicious checkpoint file during X-CLIP model format conversion.
Fix available: None in the 4.x line (last_affected: 5.0.0-rc0 per OSV)

Reachability analysis:
scripts/evals/moderation/moderate.py is the sole entry point:

  • Line 113: from detoxify import Detoxify — imports Detoxify's inference wrapper only
  • Line 118: model = Detoxify(model_name) — loads BERT/XLM-R toxicity classifier weights
  • Line 126: scores = model.predict(text) — performs toxicity inference

Detoxify==0.5.2 uses AutoModelForSequenceClassification.from_pretrained() to load pretrained BERT/XLM-R weights from the Hugging Face hub. It does not use X-CLIP models, nor does it invoke the X-CLIP checkpoint conversion script (convert_x_clip_original_pytorch_to_hf.py), which is a standalone migration utility requiring explicit invocation. scripts/evals/moderation/pip-audit-known-vulnerabilities.txt:14 independently confirms: "The moderation tooling never converts untrusted checkpoints."

Impact Statement:
The X-CLIP checkpoint conversion code path is not reachable from the moderation tooling. Only Detoxify's BERT/XLM-R inference pipeline is exercised; no checkpoint conversion is performed.

Additional Context

  • Detection issue: VEX detection: untriaged vulnerabilities found #2283
  • Scan source: OSV-Scanner on scripts/evals/moderation/uv.lock
  • Pre-existing suppression file: scripts/evals/moderation/pip-audit-known-vulnerabilities.txt (lists both CVEs with rationale, consistent with this triage)
  • Document mutation: version 2 → 3, @id updated to 2026-06-30, last_updated set to 2026-06-30T19:11:13Z; original timestamp (2026-06-19) preserved per first-issuance rule

Generated by VEX Drafting · 390.3 AIC · ⌖ 59.6 AIC · ⊞ 35.3K ·


Note

This was originally intended as a pull request, but GitHub Actions is not permitted to create or approve pull requests in this repository.
The changes have been pushed to branch vex/draft-status-2026-06-30-9bc58ddab5fef6ad.

Click here to create the pull request

To fix the permissions issue, go to SettingsActionsGeneral and enable Allow GitHub Actions to create and approve pull requests. See also: gh-aw FAQ

Show patch preview (109 of 109 lines)
From abffc81c6e0470696626a34e5f97d1135811e369 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Tue, 30 Jun 2026 19:15:35 +0000
Subject: [PATCH] security(vex): draft not_affected status for CVE-2026-1839
 and PYSEC-2025-217

Drafts VEX statements for two untriaged transformers@4.57.6 vulnerabilities
found in scripts/evals/moderation (issue #2283):

- CVE-2026-1839 (GHSA-69w3-r845-3855): Trainer._load_rng_state() RCE via
  unsafe torch.load. Drafted not_affected / vulnerable_code_not_in_execute_path.
  The moderation tooling imports only the Detoxify inference API and never
  invokes transformers.Trainer or any training code path.

- PYSEC-2025-217 (CVE-2025-14929): X-CLIP checkpoint conversion RCE via
  deserialization. Drafted not_affected / vulnerable_code_not_in_execute_path.
  The moderation tooling uses BERT/XLM-R inference via Detoxify only; the
  X-CLIP conversion script is never imported or invoked.

Document mutation contract applied: version bumped to 3, last_updated set to
2026-06-30T19:11:13Z, @id regenerated with today's date. Original timestamp
preserved (first issuance 2026-06-19).

Both determinations are High confidence and require human reviewer validation
before merge.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 security/vex/hve-core.openvex.json | 63 ++++++++++++++++++++++++++++--
 1 file changed, 60 insertions(+), 3 deletions(-)

diff --git a/security/vex/hve-core.openvex.json b/security/vex/hve-core.openvex.json
index 60dfd4c..df793b0 100644
--- a/security/vex/hve-core.openvex.json
+++ b/security/vex/hve-core.openvex.json
@@ -1,9 +1,66 @@
 {
   "@context": "https://openvex.dev/ns/v0.2.0",
-  "@id": "https://github.com/microsoft/hve-core/security/vex/2026-06-19",
+  "@id": "https://github.com/microsoft/hve-core/security/vex/2026-06-30",
   "author": "Microsoft HVE Core Maintainers",
   "timestamp": "2026-06-19T00:00:00Z",
-  "version": 2,
+  "last_updated": "2
... (truncated)

Metadata

Metadata

Assignees

No one assigned

    Labels

    agentic-workflowsautomatedIssues and PRs created or updated by automationneeds-triageRequires triage and prioritizationsecuritySecurity-related changes or concerns

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions