huggingface/transformers: Arbitrary Code Execution During Model Initialization in the LightGlue Model Loading Path
High severity
GitHub Reviewed
Published
Jun 3, 2026
to the GitHub Advisory Database
•
Updated Jul 13, 2026
Description
Published by the National Vulnerability Database
Jun 3, 2026
Published to the GitHub Advisory Database
Jun 3, 2026
Reviewed
Jul 13, 2026
Last updated
Jul 13, 2026
A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the
trust_remote_codeparameter, intended to prevent remote code execution, is overridden by untrusted serialized configuration data in a nested code path. Specifically, when loading a LightGlue model usingAutoModel.from_pretrained()withtrust_remote_code=False, theLightGlueConfigreads thetrust_remote_codevalue from the untrustedconfig.jsonfile and propagates it into nestedAutoConfig.from_pretrained()calls. This results in the execution of attacker-provided Python modules, even when the victim explicitly disables remote code execution. The vulnerability poses a high risk for environments such as API inference servers, research notebooks, CI/CD pipelines, and model evaluation workers, potentially leading to credential theft, lateral movement, or persistence/backdoor deployment.References