Skip to content

VEX: draft status for untriaged findings #2302

Description

@github-actions

Closes #2283 (once human reviewer approves and merges)

Summary

Drafts not_affected VEX statements for two Medium/High-severity vulnerabilities in transformers@4.57.6 detected in scripts/evals/moderation/uv.lock. Both vulnerable code paths are provably unreachable from the moderation inference pipeline.

CVE Aliases CVSS Drafted status Confidence
CVE-2026-1839 GHSA-69w3-r845-3855 6.5 (Medium) not_affected High
CVE-2025-14929 PYSEC-2025-217 7.8 (High) not_affected High

Caution

This PR is an AI-assisted draft. Every not_affected determination must be independently validated by a CODEOWNERS-required human reviewer before merging. The merge commit author is the accountable author of record.

Evidence Checklist

  • Code citations provided (file path and line range for reachability evidence per CVE)
  • Vulnerability details included (CVE ID, advisory URL, CVSS score per CVE)
  • Reachability analysis completed (import path traced, dead code confirmed, or mitigation identified)
  • Licensing compliance verified (data sourced from CC0/public domain sources; GHSA prose not quoted)

CVE Assessments

CVE-2026-1839 (GHSA-69w3-r845-3855)

VEX Status:

  • not_affected
  • affected
  • under_investigation
  • fixed

Confidence Band:

  • High: not_affected (vulnerable symbol provably unreachable)
  • High: affected (vulnerable symbol on a reachable execution path)
  • Medium (symbol reachable in some configurations but ambiguous)
  • Low (cannot determine reachability)
  • Vendor-disputed (OSV/NVD shows dispute or CVSS < 4.0 with no known exploit)

Impact Statement:

The vulnerability resides in Trainer._load_rng_state() (src/transformers/trainer.py), a method in the model fine-tuning code path that calls torch.load() without weights_only=True on PyTorch 2.2–2.5. The hve-core moderation component (scripts/evals/moderation/moderate.py) performs toxicity classification inference only — it imports detoxify.Detoxify and calls model.predict(). The transformers.Trainer class is never imported or invoked in any code path reachable from moderate.py.

Evidence:

  • scripts/evals/moderation/moderate.py:112–118: sole transformers usage is from detoxify import Detoxify
  • Detoxify v0.5.2 source (get_model_and_tokenizer): uses getattr(transformers, model_name) where model_name resolves to BERT/ALBERT sequence-classification variants; no Trainer import anywhere in the call chain
  • Fix commit: huggingface/transformers@03c8082 confirms the vulnerable symbol is Trainer._load_rng_state()
  • Advisory: GHSA-69w3-r845-3855

CVE-2025-14929 (PYSEC-2025-217)

VEX Status:

  • not_affected
  • affected
  • under_investigation
  • fixed

Confidence Band:

  • High: not_affected (vulnerable symbol provably unreachable)
  • High: affected (vulnerable symbol on a reachable execution path)
  • Medium (symbol reachable in some configurations but ambiguous)
  • Low (cannot determine reachability)
  • Vendor-disputed (OSV/NVD shows dispute or CVSS < 4.0 with no known exploit)

Impact Statement:

The vulnerability is in the X-CLIP model checkpoint conversion utility (transformers.models.x_clip), where deserialization of untrusted data can lead to arbitrary code execution. X-CLIP is a video-language model family; the hve-core moderation component uses detoxify.Detoxify which loads BERT/ALBERT toxicity classification models. The X-CLIP module and its checkpoint conversion code are never imported or invoked in any code path reachable from scripts/evals/moderation/moderate.py.

Evidence:

  • scripts/evals/moderation/moderate.py:112–118: sole transformers usage is from detoxify import Detoxify
  • Detoxify v0.5.2 source (get_model_and_tokenizer): model_name resolves to e.g. AlbertForSequenceClassification; transformers.models.x_clip is outside the Detoxify call graph entirely
  • Advisory: (www.zerodayinitiative.com/redacted) (PYSEC-2025-217 source)
  • OSV record: https://osv.dev/vulnerability/PYSEC-2025-217

Additional Context

  • Detection issue: VEX detection: untriaged vulnerabilities found #2283

  • Vulnerable dependency: pkg:pypi/transformers@4.57.6 (transitive via detoxify==0.5.2)

  • Lock file: scripts/evals/moderation/uv.lock

  • Affected component: pkg:github/microsoft/hve-core#scripts/evals/moderation

  • Both findings: vulnerable_code_not_in_execute_path — no call path from the inference pipeline reaches Trainer._load_rng_state() or transformers.models.x_clip

  • Reviewed and validated by a qualified human reviewer

Generated by VEX Drafting · 385.8 AIC · ⌖ 57.5 AIC · ⊞ 35.3K ·


Note

This was originally intended as a pull request, but GitHub Actions is not permitted to create or approve pull requests in this repository.
The changes have been pushed to branch vex/draft-2026-06-30-14a8ac251f9120b1.

Click here to create the pull request

To fix the permissions issue, go to SettingsActionsGeneral and enable Allow GitHub Actions to create and approve pull requests. See also: gh-aw FAQ

Show patch preview (105 of 105 lines)
From dd27654819facac132fe704b979aba8945dfc55b Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Tue, 30 Jun 2026 21:11:15 +0000
Subject: [PATCH] feat(security): draft VEX status for CVE-2026-1839 and
 CVE-2025-14929

Draft not_affected statements for two transformers@4.57.6 vulnerabilities
detected in scripts/evals/moderation/uv.lock. Both vulnerable code paths
are unreachable from the moderation inference pipeline.

- CVE-2026-1839 (GHSA-69w3-r845-3855): Trainer._load_rng_state() is a
  fine-tuning code path never invoked by detoxify.Detoxify inference.
- CVE-2025-14929 (PYSEC-2025-217): X-CLIP checkpoint conversion is outside
  the BERT/ALBERT call graph used by Detoxify v0.5.2.

Justification: vulnerable_code_not_in_execute_path (High confidence).
Evidence cited in status_notes; requires CODEOWNERS human review before merge.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 security/vex/hve-core.openvex.json | 68 ++++++++++++++++++++++++++++--
 1 file changed, 64 insertions(+), 4 deletions(-)

diff --git a/security/vex/hve-core.openvex.json b/security/vex/hve-core.openvex.json
index 60dfd4c..4c2091d 100644
--- a/security/vex/hve-core.openvex.json
+++ b/security/vex/hve-core.openvex.json
@@ -1,9 +1,69 @@
 {
   "@context": "https://openvex.dev/ns/v0.2.0",
-  "@id": "https://github.com/microsoft/hve-core/security/vex/2026-06-19",
+  "@id": "https://github.com/microsoft/hve-core/security/vex/2026-06-30",
   "author": "Microsoft HVE Core Maintainers",
-  "timestamp": "2026-06-19T00:00:00Z",
-  "version": 2,
+  "timestamp": "2026-06-30T21:06:00Z",
+  "last_updated": "2026-06-30T21:06:00Z",
+  "version": 3,
   "tooling": "Maintained via the hve-core VEX Generator agent (AI-assisted drafting) with human review and merge; published and Sigstore-attested by the release-stable.yml workflow.",
-  "statements": []
+  "statements": [
+    {
+      "vulnerability": {
+        "@id": "https://nvd.ni
... (truncated)

Metadata

Metadata

Assignees

No one assigned

    Labels

    agentic-workflowsautomatedIssues and PRs created or updated by automationneeds-triageRequires triage and prioritizationsecuritySecurity-related changes or concerns

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions