You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Closes #2283 (once human reviewer approves and merges)
Summary
Drafts not_affected VEX statements for two Medium/High-severity vulnerabilities in transformers@4.57.6 detected in scripts/evals/moderation/uv.lock. Both vulnerable code paths are provably unreachable from the moderation inference pipeline.
This PR is an AI-assisted draft. Every not_affected determination must be independently validated by a CODEOWNERS-required human reviewer before merging. The merge commit author is the accountable author of record.
Evidence Checklist
Code citations provided (file path and line range for reachability evidence per CVE)
Vulnerability details included (CVE ID, advisory URL, CVSS score per CVE)
Reachability analysis completed (import path traced, dead code confirmed, or mitigation identified)
Licensing compliance verified (data sourced from CC0/public domain sources; GHSA prose not quoted)
High: not_affected (vulnerable symbol provably unreachable)
High: affected (vulnerable symbol on a reachable execution path)
Medium (symbol reachable in some configurations but ambiguous)
Low (cannot determine reachability)
Vendor-disputed (OSV/NVD shows dispute or CVSS < 4.0 with no known exploit)
Impact Statement:
The vulnerability resides in Trainer._load_rng_state() (src/transformers/trainer.py), a method in the model fine-tuning code path that calls torch.load() without weights_only=True on PyTorch 2.2–2.5. The hve-core moderation component (scripts/evals/moderation/moderate.py) performs toxicity classification inference only — it imports detoxify.Detoxify and calls model.predict(). The transformers.Trainer class is never imported or invoked in any code path reachable from moderate.py.
Evidence:
scripts/evals/moderation/moderate.py:112–118: sole transformers usage is from detoxify import Detoxify
Detoxify v0.5.2 source (get_model_and_tokenizer): uses getattr(transformers, model_name) where model_name resolves to BERT/ALBERT sequence-classification variants; no Trainer import anywhere in the call chain
High: not_affected (vulnerable symbol provably unreachable)
High: affected (vulnerable symbol on a reachable execution path)
Medium (symbol reachable in some configurations but ambiguous)
Low (cannot determine reachability)
Vendor-disputed (OSV/NVD shows dispute or CVSS < 4.0 with no known exploit)
Impact Statement:
The vulnerability is in the X-CLIP model checkpoint conversion utility (transformers.models.x_clip), where deserialization of untrusted data can lead to arbitrary code execution. X-CLIP is a video-language model family; the hve-core moderation component uses detoxify.Detoxify which loads BERT/ALBERT toxicity classification models. The X-CLIP module and its checkpoint conversion code are never imported or invoked in any code path reachable from scripts/evals/moderation/moderate.py.
Evidence:
scripts/evals/moderation/moderate.py:112–118: sole transformers usage is from detoxify import Detoxify
Detoxify v0.5.2 source (get_model_and_tokenizer): model_name resolves to e.g. AlbertForSequenceClassification; transformers.models.x_clip is outside the Detoxify call graph entirely
Both findings: vulnerable_code_not_in_execute_path — no call path from the inference pipeline reaches Trainer._load_rng_state() or transformers.models.x_clip
Reviewed and validated by a qualified human reviewer
This was originally intended as a pull request, but GitHub Actions is not permitted to create or approve pull requests in this repository.
The changes have been pushed to branch vex/draft-2026-06-30-14a8ac251f9120b1.
To fix the permissions issue, go to Settings → Actions → General and enable Allow GitHub Actions to create and approve pull requests. See also: gh-aw FAQ
Show patch preview (105 of 105 lines)
From dd27654819facac132fe704b979aba8945dfc55b Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Tue, 30 Jun 2026 21:11:15 +0000
Subject: [PATCH] feat(security): draft VEX status for CVE-2026-1839 and
CVE-2025-14929
Draft not_affected statements for two transformers@4.57.6 vulnerabilities
detected in scripts/evals/moderation/uv.lock. Both vulnerable code paths
are unreachable from the moderation inference pipeline.
- CVE-2026-1839 (GHSA-69w3-r845-3855): Trainer._load_rng_state() is a
fine-tuning code path never invoked by detoxify.Detoxify inference.
- CVE-2025-14929 (PYSEC-2025-217): X-CLIP checkpoint conversion is outside
the BERT/ALBERT call graph used by Detoxify v0.5.2.
Justification: vulnerable_code_not_in_execute_path (High confidence).
Evidence cited in status_notes; requires CODEOWNERS human review before merge.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
security/vex/hve-core.openvex.json | 68 ++++++++++++++++++++++++++++--
1 file changed, 64 insertions(+), 4 deletions(-)
diff --git a/security/vex/hve-core.openvex.json b/security/vex/hve-core.openvex.json
index 60dfd4c..4c2091d 100644
--- a/security/vex/hve-core.openvex.json+++ b/security/vex/hve-core.openvex.json@@ -1,9 +1,69 @@
{
"@context": "https://openvex.dev/ns/v0.2.0",
- "@id": "https://github.com/microsoft/hve-core/security/vex/2026-06-19",+ "@id": "https://github.com/microsoft/hve-core/security/vex/2026-06-30",
"author": "Microsoft HVE Core Maintainers",
- "timestamp": "2026-06-19T00:00:00Z",- "version": 2,+ "timestamp": "2026-06-30T21:06:00Z",+ "last_updated": "2026-06-30T21:06:00Z",+ "version": 3,
"tooling": "Maintained via the hve-core VEX Generator agent (AI-assisted drafting) with human review and merge; published and Sigstore-attested by the release-stable.yml workflow.",
- "statements": []+ "statements": [+ {+ "vulnerability": {+ "@id": "https://nvd.ni
... (truncated)
Closes #2283 (once human reviewer approves and merges)
Summary
Drafts
not_affectedVEX statements for two Medium/High-severity vulnerabilities intransformers@4.57.6detected inscripts/evals/moderation/uv.lock. Both vulnerable code paths are provably unreachable from the moderation inference pipeline.not_affectednot_affectedCaution
This PR is an AI-assisted draft. Every
not_affecteddetermination must be independently validated by a CODEOWNERS-required human reviewer before merging. The merge commit author is the accountable author of record.Evidence Checklist
CVE Assessments
CVE-2026-1839 (GHSA-69w3-r845-3855)
VEX Status:
not_affectedaffectedunder_investigationfixedConfidence Band:
Impact Statement:
The vulnerability resides in
Trainer._load_rng_state()(src/transformers/trainer.py), a method in the model fine-tuning code path that callstorch.load()withoutweights_only=Trueon PyTorch 2.2–2.5. The hve-core moderation component (scripts/evals/moderation/moderate.py) performs toxicity classification inference only — it importsdetoxify.Detoxifyand callsmodel.predict(). Thetransformers.Trainerclass is never imported or invoked in any code path reachable frommoderate.py.Evidence:
scripts/evals/moderation/moderate.py:112–118: sole transformers usage isfrom detoxify import Detoxifyget_model_and_tokenizer): usesgetattr(transformers, model_name)wheremodel_nameresolves to BERT/ALBERT sequence-classification variants; noTrainerimport anywhere in the call chainTrainer._load_rng_state()CVE-2025-14929 (PYSEC-2025-217)
VEX Status:
not_affectedaffectedunder_investigationfixedConfidence Band:
Impact Statement:
The vulnerability is in the X-CLIP model checkpoint conversion utility (
transformers.models.x_clip), where deserialization of untrusted data can lead to arbitrary code execution. X-CLIP is a video-language model family; the hve-core moderation component usesdetoxify.Detoxifywhich loads BERT/ALBERT toxicity classification models. The X-CLIP module and its checkpoint conversion code are never imported or invoked in any code path reachable fromscripts/evals/moderation/moderate.py.Evidence:
scripts/evals/moderation/moderate.py:112–118: sole transformers usage isfrom detoxify import Detoxifyget_model_and_tokenizer):model_nameresolves to e.g.AlbertForSequenceClassification;transformers.models.x_clipis outside the Detoxify call graph entirelyAdditional Context
Detection issue: VEX detection: untriaged vulnerabilities found #2283
Vulnerable dependency:
pkg:pypi/transformers@4.57.6(transitive viadetoxify==0.5.2)Lock file:
scripts/evals/moderation/uv.lockAffected component:
pkg:github/microsoft/hve-core#scripts/evals/moderationBoth findings:
vulnerable_code_not_in_execute_path— no call path from the inference pipeline reachesTrainer._load_rng_state()ortransformers.models.x_clipReviewed and validated by a qualified human reviewer
Note
This was originally intended as a pull request, but GitHub Actions is not permitted to create or approve pull requests in this repository.
The changes have been pushed to branch
vex/draft-2026-06-30-14a8ac251f9120b1.Click here to create the pull request
To fix the permissions issue, go to Settings → Actions → General and enable Allow GitHub Actions to create and approve pull requests. See also: gh-aw FAQ
Show patch preview (105 of 105 lines)