We release patches for security vulnerabilities. The following versions are currently supported:
| Version | Supported |
|---|---|
| 1.x.x | β |
| < 1.0 | β |
Please do not report security vulnerabilities through public GitHub issues.
If you discover a security vulnerability, please report it via:
-
GitHub Private Vulnerability Reporting
- Go to the Security tab
- Click "Report a vulnerability"
- Fill in the details
-
Email
- Send details to the repository maintainers
- Include "SECURITY" in the subject line
Please include the following information:
- Type of vulnerability
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Initial Response: We aim to acknowledge receipt within 48 hours
- Status Updates: We'll provide updates every 5 business days
- Fix Timeline: Critical issues will be patched within 7 days, others within 30 days
- Public Disclosure: We'll coordinate disclosure timing with you
- Security patches are released as soon as possible
- Critical vulnerabilities receive immediate attention
- All security updates are documented in this file
- Users are notified through GitHub releases and security advisories
Date: January 28, 2026
Issue: Deserialization of Untrusted Data vulnerability in HuggingFace Transformers library
Affected Versions:
- transformers >= 0, < 4.48.0
CVE Details:
- Vulnerability allows deserialization of untrusted data
- Could potentially lead to arbitrary code execution
Fix Applied:
- β
Updated
transformersfrom4.36.0to4.48.0(patched version) - β Updated all documentation references
- β Updated requirements-finetune.txt
- β Added security notes in documentation
Files Updated:
requirements-finetune.txtfinetune.mdCOLAB_QUICKSTART.mdFINETUNE_README.mdIMPLEMENTATION_SUMMARY.md
Impact:
- No functionality changes
- All features continue to work as expected
- Security vulnerability patched
Action Required:
- Users should use
transformers==4.48.0or later - Do not downgrade to versions < 4.48.0
- Update any existing installations:
pip install --upgrade transformers==4.48.0
When using this fine-tuning pipeline:
- Keep Dependencies Updated: Always use the latest patched versions of dependencies
- Verify Sources: Only load models from trusted sources (HuggingFace official)
- Dataset Security: Ensure your training data doesn't contain sensitive information
- Environment Isolation: Use virtual environments or containers
- Access Control: Protect API keys and tokens
If you discover a security vulnerability, please:
- Do NOT open a public issue
- Email security concerns to the repository maintainers
- Include detailed information about the vulnerability
- Allow time for patches before public disclosure
We recommend regularly scanning dependencies for vulnerabilities:
# Using pip-audit
pip install pip-audit
pip-audit
# Using safety
pip install safety
safety check| Date | Component | Old Version | New Version | Reason |
|---|---|---|---|---|
| 2026-01-28 | transformers | 4.36.0 | 4.48.0 | CVE: Deserialization vulnerability |
Last Updated: January 28, 2026