Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
Nothing found by this check. ✓
Packages you depend on that have known security holes (CVEs).
CVE-2025-32434 PyTorch is a Python package that provides tensor computation with stro ...CVE-2025-2999 A vulnerability was found in PyTorch 2.6.0. It has been rated as criti ...CVE-2025-3730 A vulnerability, which was classified as problematic, was found in PyT ...CVE-2024-11392 transformers: Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution VulnerabilityCVE-2024-11393 transformers: Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution VulnerabilityCVE-2024-11394 transformers: Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution VulnerabilityCVE-2024-12720 Transformers Regular Expression Denial of Service (ReDoS) vulnerabilityCVE-2025-1194 Transformers Regular Expression Denial of Service (ReDoS) vulnerabilityCVE-2025-2099 transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformersCVE-2025-3263 transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformersCVE-2025-3264 transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformersCVE-2025-3933 transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformersCVE-2025-5197 transformers: Transformers ReDoS VulnerabilityCVE-2025-6051 transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformersCVE-2025-6638 transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformersCVE-2025-6921 transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformersCVE-2026-1839 transformers: HuggingFace Transformers: Arbitrary code execution via malicious checkpoint fileCVE-2025-2953 torch: PyTorch torch.mkldnn_max_pool2d denial of serviceCVE-2025-3001 A vulnerability classified as critical was found in PyTorch 2.6.0. Thi ...CVE-2025-3777 transformers: Improper Input Validation in huggingface/transformersYour dependencies cross-checked against the OSV vulnerability database.
PYSEC-2024-259 In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing.PYSEC-2025-41 PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command EPYSEC-2025-191 A vulnerability, which was classified as problematic, has been found in PyTorch 2.6.0+cu124. Affected by this issue is the function torch.mkldnn_max_pool2d. The manipulation leads to denial of servicePYSEC-2025-198 In PyTorch through 2.6.0, when eager is used, nn.PairwiseDistance(p=2) produces incorrect results.PYSEC-2025-203 An issue in the component torch.linalg.lu of pytorch v2.8.0 allows attackers to cause a Denial of Service (DoS) when performing a slice operation.PYSEC-2025-204 pytorch v2.8.0 was discovered to display unexpected behavior when the components torch.rot90 and torch.randn_like are used together.PYSEC-2025-205 A syntax error in the component proxy_tensor.py of pytorch v2.7.0 allows attackers to cause a Denial of Service (DoS).PYSEC-2025-206 pytorch v2.8.0 was discovered to contain an integer overflow in the component torch.nan_to_num-.long().PYSEC-2025-207 A Name Error occurs in pytorch v2.7.0 when a PyTorch model consists of torch.cummin and is compiled by Inductor, leading to a Denial of Service (DoS).PYSEC-2025-208 A buffer overflow occurs in pytorch v2.7.0 when a PyTorch model consists of torch.nn.Conv2d, torch.nn.functional.hardshrink, and torch.Tensor.view-torch.mv() and is compiled by Inductor, leading to a PYSEC-2025-209 An issue in pytorch v2.7.0 can lead to a Denial of Service (DoS) when a PyTorch model consists of torch.Tensor.to_sparse() and torch.Tensor.to_dense() and is compiled by Inductor.PYSEC-2026-139 A vulnerability was identified in PyTorch 2.10.0. The affected element is an unknown function of the component pt2 Loading Handler. The manipulation leads to deserialization. The attack can only be peGHSA-887c-mr87-cxwp PyTorch Improper Resource Shutdown or Release vulnerabilityGHSA-c678-jfcj-6jmf PyTorch Tuple Handler is Vulnerable to Memory Corruption through Manipulation of None ArgumentGHSA-f4hp-rmr7-r7v8 PyTorch is Vulnerable to Memory Consumption through pad_packed_sequence FunctionGHSA-qfhq-4f3w-5fph PyTorch is vulnerable to memory corruption through its torch.lstm_cell functionGHSA-rrmf-rvhw-rf47 PyTorch is vulnerable to memory corruption through its torch.jit.script functionGHSA-vgrw-7cvw-pwgx PyTorch is vulnerable to memory corruption through its unpack_sequence functionPYSEC-2024-227 Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installatiPYSEC-2024-228 Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected instaPYSEC-2024-229 Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installatioPYSEC-2025-211 Hugging Face Transformers Perceiver Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected instalPYSEC-2025-212 Hugging Face Transformers Transformer-XL Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected iPYSEC-2025-213 Hugging Face Transformers megatron_gpt2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installaPYSEC-2025-214 Hugging Face Transformers SEW convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of HuggiCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
Nothing found by this check. ✓
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
scorecard-overall OpenSSF Scorecard overall: 3.3/10scorecard-CI-Tests CI-Tests scored 0: 0 out of 11 merged PRs checked by a CI test -- score normalized to 0scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detectedscorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detectedscorecard-Fuzzing Fuzzing scored 0: project is not fuzzedscorecard-Maintained Maintained scored 0: 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0scorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0scorecard-Security-Policy Security-Policy scored 0: security policy file not detectedscorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissions