CVE-2025-14920 is a deserialization vulnerability classified under CWE-502 affecting the Hugging Face Transformers library, specifically the Perceiver model component. The vulnerability stems from the library's failure to properly validate and sanitize user-supplied model files during the deserialization process. Deserialization is the process of converting data from a stored format back into an executable object; if untrusted data is deserialized without validation, it can lead to arbitrary code execution. In this case, an attacker can craft malicious model files that, when loaded by the vulnerable Transformers library, execute arbitrary code within the context of the current user. Exploitation requires user interaction, such as opening a malicious file or visiting a malicious webpage that triggers the loading of the malicious model. The CVSS 3.0 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates that the attack requires local access or user interaction but no privileges or complex conditions, and it impacts confidentiality, integrity, and availability to a high degree. Although no public exploits are currently known, the vulnerability poses a serious risk due to the widespread adoption of Hugging Face Transformers in AI and machine learning applications. The lack of patches at the time of disclosure necessitates immediate mitigation through operational controls. The vulnerability was assigned by ZDI (Zero Day Initiative) and published on December 23, 2025.

For European organizations, the impact of CVE-2025-14920 can be significant, particularly for those leveraging Hugging Face Transformers in AI/ML pipelines, research, or production environments. Successful exploitation could allow attackers to execute arbitrary code, potentially leading to data breaches, system compromise, or disruption of AI services. This could result in loss of sensitive intellectual property, exposure of personal data protected under GDPR, and operational downtime. Organizations relying on automated model loading from external or untrusted sources are especially vulnerable. The confidentiality, integrity, and availability of AI models and associated data can be compromised, undermining trust in AI outputs and causing reputational damage. Given the increasing integration of AI in critical sectors such as finance, healthcare, and manufacturing across Europe, the threat extends beyond IT systems to business continuity and regulatory compliance. The requirement for user interaction limits remote mass exploitation but does not eliminate risk, especially in environments where users frequently handle external model files or visit untrusted sites.

1. Immediately restrict the loading of model files to trusted, verified sources only, avoiding any untrusted or external model files. 2. Implement strict input validation and sanitization for all model files before deserialization, employing allowlists or schema validation where possible. 3. Isolate the execution environment for model loading, such as using sandboxing or containerization, to limit the impact of potential code execution. 4. Educate users about the risks of opening untrusted model files or visiting suspicious websites that could trigger malicious model loading. 5. Monitor and audit model loading activities and system behavior for anomalies indicative of exploitation attempts. 6. Apply security updates and patches from Hugging Face promptly once they become available. 7. Consider disabling or limiting features that automatically load or parse model files from external sources. 8. Employ endpoint protection solutions capable of detecting suspicious deserialization or code execution behaviors. 9. Review and harden access controls around AI/ML infrastructure to minimize the privileges of users and processes handling model files. 10. Establish incident response plans specific to AI/ML infrastructure compromise scenarios.