You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Drafts not_affected VEX status for 2 untriaged transformers@4.57.6 vulnerabilities detected in scripts/evals/moderation (closes-related: #2283). Both determinations are High confidence and require independent human validation before merge. The merge commit author is the accountable author of record.
Caution
This PR is an AI-assisted draft only. Every not_affected determination must be independently validated by a CODEOWNERS-required human reviewer before merging. This output does not constitute security approval or compliance sign-off.
Summary
Two vulnerabilities in transformers@4.57.6 (a dependency of hve-core-moderation@1.0.0 via detoxify==0.5.2) were triaged against the scripts/evals/moderation/moderate.py code path. Both affect checkpoint-loading or training code paths that the moderation tooling — which is inference-only and uses the Detoxify API exclusively — does not reach.
Advisory:GHSA-69w3-r845-3855 CVSS: 6.5 — CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H CWE: CWE-502 (Deserialization of Untrusted Data) Vulnerable symbol:Trainer._load_rng_state() in src/transformers/trainer.py:3059 Attack surface: Requires calling Trainer during a training run with a malicious rng_state.pth checkpoint supplied by an attacker. Fix available:transformers >= 5.0.0rc3 (outside the <5 constraint in pyproject.toml)
Reachability analysis: scripts/evals/moderation/moderate.py is the sole entry point. Its complete import and execution path:
Line 113: from detoxify import Detoxify — imports Detoxify's inference wrapper only
Line 118: model = Detoxify(model_name) — instantiates a pretrained toxicity classifier
Line 126: scores = model.predict(text) — calls inference; no training code is invoked
No import of transformers.Trainer or any transformers.trainer module exists in moderate.py or in detoxify==0.5.2's published API. The Trainer class is exclusively a fine-tuning/training utility and is not part of the inference stack used by Detoxify. scripts/evals/moderation/pip-audit-known-vulnerabilities.txt:18 independently confirms: "The moderation tooling does not use the Trainer class."
Impact Statement:
The vulnerable symbol Trainer._load_rng_state() is not reachable from the moderation tooling. No training or checkpoint-loading is performed; the tool is inference-only.
PYSEC-2025-217
VEX Status:
not_affected
affected
under_investigation
fixed
Confidence Band:
High: not_affected (vulnerable symbol provably unreachable)
High: affected (vulnerable symbol on a reachable execution path)
Medium (symbol reachable in some configurations but ambiguous)
Low (cannot determine reachability)
Vendor-disputed (OSV/NVD shows dispute or CVSS < 4.0 with no known exploit)
Advisory: (www.zerodayinitiative.com/redacted) CVSS: 7.8 — CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Vulnerable symbol: X-CLIP checkpoint conversion deserialization (ZDI-CAN-28308) Attack surface: Requires the user to open a malicious checkpoint file during X-CLIP model format conversion. Fix available: None in the 4.x line (last_affected: 5.0.0-rc0 per OSV)
Reachability analysis: scripts/evals/moderation/moderate.py is the sole entry point:
Line 113: from detoxify import Detoxify — imports Detoxify's inference wrapper only
Line 118: model = Detoxify(model_name) — loads BERT/XLM-R toxicity classifier weights
Line 126: scores = model.predict(text) — performs toxicity inference
Detoxify==0.5.2 uses AutoModelForSequenceClassification.from_pretrained() to load pretrained BERT/XLM-R weights from the Hugging Face hub. It does not use X-CLIP models, nor does it invoke the X-CLIP checkpoint conversion script (convert_x_clip_original_pytorch_to_hf.py), which is a standalone migration utility requiring explicit invocation. scripts/evals/moderation/pip-audit-known-vulnerabilities.txt:14 independently confirms: "The moderation tooling never converts untrusted checkpoints."
Impact Statement:
The X-CLIP checkpoint conversion code path is not reachable from the moderation tooling. Only Detoxify's BERT/XLM-R inference pipeline is exercised; no checkpoint conversion is performed.
Scan source: OSV-Scanner on scripts/evals/moderation/uv.lock
Pre-existing suppression file: scripts/evals/moderation/pip-audit-known-vulnerabilities.txt (lists both CVEs with rationale, consistent with this triage)
Document mutation: version 2 → 3, @id updated to 2026-06-30, last_updated set to 2026-06-30T19:11:13Z; original timestamp (2026-06-19) preserved per first-issuance rule
This was originally intended as a pull request, but GitHub Actions is not permitted to create or approve pull requests in this repository.
The changes have been pushed to branch vex/draft-status-2026-06-30-9bc58ddab5fef6ad.
To fix the permissions issue, go to Settings → Actions → General and enable Allow GitHub Actions to create and approve pull requests. See also: gh-aw FAQ
Show patch preview (109 of 109 lines)
From abffc81c6e0470696626a34e5f97d1135811e369 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Tue, 30 Jun 2026 19:15:35 +0000
Subject: [PATCH] security(vex): draft not_affected status for CVE-2026-1839
and PYSEC-2025-217
Drafts VEX statements for two untriaged transformers@4.57.6 vulnerabilities
found in scripts/evals/moderation (issue #2283):
- CVE-2026-1839 (GHSA-69w3-r845-3855): Trainer._load_rng_state() RCE via
unsafe torch.load. Drafted not_affected / vulnerable_code_not_in_execute_path.
The moderation tooling imports only the Detoxify inference API and never
invokes transformers.Trainer or any training code path.
- PYSEC-2025-217 (CVE-2025-14929): X-CLIP checkpoint conversion RCE via
deserialization. Drafted not_affected / vulnerable_code_not_in_execute_path.
The moderation tooling uses BERT/XLM-R inference via Detoxify only; the
X-CLIP conversion script is never imported or invoked.
Document mutation contract applied: version bumped to 3, last_updated set to
2026-06-30T19:11:13Z, @id regenerated with today's date. Original timestamp
preserved (first issuance 2026-06-19).
Both determinations are High confidence and require human reviewer validation
before merge.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
security/vex/hve-core.openvex.json | 63 ++++++++++++++++++++++++++++--
1 file changed, 60 insertions(+), 3 deletions(-)
diff --git a/security/vex/hve-core.openvex.json b/security/vex/hve-core.openvex.json
index 60dfd4c..df793b0 100644
--- a/security/vex/hve-core.openvex.json+++ b/security/vex/hve-core.openvex.json@@ -1,9 +1,66 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
- "@id": "https://github.com/microsoft/hve-core/security/vex/2026-06-19",+ "@id": "https://github.com/microsoft/hve-core/security/vex/2026-06-30",
"author": "Microsoft HVE Core Maintainers",
"timestamp": "2026-06-19T00:00:00Z",
- "version": 2,+ "last_updated": "2
... (truncated)
Drafts
not_affectedVEX status for 2 untriagedtransformers@4.57.6vulnerabilities detected inscripts/evals/moderation(closes-related: #2283). Both determinations are High confidence and require independent human validation before merge. The merge commit author is the accountable author of record.Caution
This PR is an AI-assisted draft only. Every
not_affecteddetermination must be independently validated by a CODEOWNERS-required human reviewer before merging. This output does not constitute security approval or compliance sign-off.Summary
Two vulnerabilities in
transformers@4.57.6(a dependency ofhve-core-moderation@1.0.0viadetoxify==0.5.2) were triaged against thescripts/evals/moderation/moderate.pycode path. Both affect checkpoint-loading or training code paths that the moderation tooling — which is inference-only and uses the Detoxify API exclusively — does not reach.not_affectednot_affectedEvidence Checklist
CVE Assessments
CVE-2026-1839
VEX Status:
not_affectedaffectedunder_investigationfixedConfidence Band:
Drafted Status:
not_affected—vulnerable_code_not_in_execute_pathDrafted Confidence Band: High: not_affected
Advisory: GHSA-69w3-r845-3855
CVSS: 6.5 — CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H
CWE: CWE-502 (Deserialization of Untrusted Data)
Vulnerable symbol:
Trainer._load_rng_state()insrc/transformers/trainer.py:3059Attack surface: Requires calling
Trainerduring a training run with a maliciousrng_state.pthcheckpoint supplied by an attacker.Fix available:
transformers >= 5.0.0rc3(outside the<5constraint inpyproject.toml)Reachability analysis:
scripts/evals/moderation/moderate.pyis the sole entry point. Its complete import and execution path:from detoxify import Detoxify— imports Detoxify's inference wrapper onlymodel = Detoxify(model_name)— instantiates a pretrained toxicity classifierscores = model.predict(text)— calls inference; no training code is invokedNo import of
transformers.Traineror anytransformers.trainermodule exists inmoderate.pyor indetoxify==0.5.2's published API. TheTrainerclass is exclusively a fine-tuning/training utility and is not part of the inference stack used by Detoxify.scripts/evals/moderation/pip-audit-known-vulnerabilities.txt:18independently confirms: "The moderation tooling does not use the Trainer class."Impact Statement:
The vulnerable symbol
Trainer._load_rng_state()is not reachable from the moderation tooling. No training or checkpoint-loading is performed; the tool is inference-only.PYSEC-2025-217
VEX Status:
not_affectedaffectedunder_investigationfixedConfidence Band:
Drafted Status:
not_affected—vulnerable_code_not_in_execute_pathDrafted Confidence Band: High: not_affected
Advisory: (www.zerodayinitiative.com/redacted)
CVSS: 7.8 — CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Vulnerable symbol: X-CLIP checkpoint conversion deserialization (ZDI-CAN-28308)
Attack surface: Requires the user to open a malicious checkpoint file during X-CLIP model format conversion.
Fix available: None in the 4.x line (
last_affected: 5.0.0-rc0per OSV)Reachability analysis:
scripts/evals/moderation/moderate.pyis the sole entry point:from detoxify import Detoxify— imports Detoxify's inference wrapper onlymodel = Detoxify(model_name)— loads BERT/XLM-R toxicity classifier weightsscores = model.predict(text)— performs toxicity inferenceDetoxify==0.5.2usesAutoModelForSequenceClassification.from_pretrained()to load pretrained BERT/XLM-R weights from the Hugging Face hub. It does not use X-CLIP models, nor does it invoke the X-CLIP checkpoint conversion script (convert_x_clip_original_pytorch_to_hf.py), which is a standalone migration utility requiring explicit invocation.scripts/evals/moderation/pip-audit-known-vulnerabilities.txt:14independently confirms: "The moderation tooling never converts untrusted checkpoints."Impact Statement:
The X-CLIP checkpoint conversion code path is not reachable from the moderation tooling. Only Detoxify's BERT/XLM-R inference pipeline is exercised; no checkpoint conversion is performed.
Additional Context
scripts/evals/moderation/uv.lockscripts/evals/moderation/pip-audit-known-vulnerabilities.txt(lists both CVEs with rationale, consistent with this triage)@idupdated to2026-06-30,last_updatedset to2026-06-30T19:11:13Z; originaltimestamp(2026-06-19) preserved per first-issuance ruleNote
This was originally intended as a pull request, but GitHub Actions is not permitted to create or approve pull requests in this repository.
The changes have been pushed to branch
vex/draft-status-2026-06-30-9bc58ddab5fef6ad.Click here to create the pull request
To fix the permissions issue, go to Settings → Actions → General and enable Allow GitHub Actions to create and approve pull requests. See also: gh-aw FAQ
Show patch preview (109 of 109 lines)