CVE-2025-3777: 
NixOS vulnerability analysis and mitigation

Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability identified as CVE-2025-3777. The vulnerability was discovered in July 2025 and affects the image_utils.py file of the Transformers library. The issue stems from insecure URL validation using the startswith() method (NVD).

The vulnerability is classified as an improper input validation issue (CWE-20) in the URL validation mechanism. The flaw specifically exists in the image_utils.py file where the startswith() method is used for URL validation. The CVSS v3.0 base score is 3.5 (LOW) with the vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N, indicating a network-accessible vulnerability requiring low attack complexity and user interaction (NVD).

The vulnerability allows attackers to bypass URL validation through URL username injection. This bypass can enable attackers to craft URLs that appear to be from legitimate sources (such as YouTube) but actually resolve to malicious domains. The impact includes potential phishing attacks, malware distribution, and data exfiltration risks (NVD).

The vulnerability has been fixed in Hugging Face Transformers version 4.52.1. Users are advised to upgrade to this version or later to address the security issue. The fix can be found in the official repository commit (GitHub Commit).