gitsafehub
github.com/facebookresearch/seamless_communication ↗

facebookresearch/seamless_communication

scanned 2026-06-30 · git 90e2b57
2 of 6 checks flagged a security issue
🔴 Needs attention
Only 3 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies24Known OSS vulnerabilities260Risky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks timed out

API keys, passwords or tokens committed into the repo.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Gitleaks v8.21.2 · MIT

error: timeout after 30s

Vulnerable dependencies — Trivy 24 found · 1 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2025-32434 PyTorch is a Python package that provides tensor computation with stro ...
    ggml/requirements.txt
    A package you depend on has a known security hole (CVE-2025-32434). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-1260 sentencepiece: Sentencepiece: Invalid memory access leading to potential arbitrary code execution via a crafted model file.
    ggml/requirements.txt
    A package you depend on has a known security hole (CVE-2026-1260). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-31580 PyTorch before v2.2.0 was discovered to contain a heap buffer overflow ...
    ggml/requirements.txt
    A package you depend on has a known security hole (CVE-2024-31580). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-31583 Pytorch before version v2.2.0 was discovered to contain a use-after-fr ...
    ggml/requirements.txt
    A package you depend on has a known security hole (CVE-2024-31583). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-2999 A vulnerability was found in PyTorch 2.6.0. It has been rated as criti ...
    ggml/requirements.txt
    A package you depend on has a known security hole (CVE-2025-2999). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-3730 A vulnerability, which was classified as problematic, was found in PyT ...
    ggml/requirements.txt
    A package you depend on has a known security hole (CVE-2025-3730). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-11392 transformers: Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability
    ggml/requirements.txt
    A package you depend on has a known security hole (CVE-2024-11392). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-11393 transformers: Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability
    ggml/requirements.txt
    A package you depend on has a known security hole (CVE-2024-11393). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-11394 transformers: Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability
    ggml/requirements.txt
    A package you depend on has a known security hole (CVE-2024-11394). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-12720 Transformers Regular Expression Denial of Service (ReDoS) vulnerability
    ggml/requirements.txt
    A package you depend on has a known security hole (CVE-2024-12720). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-1194 Transformers Regular Expression Denial of Service (ReDoS) vulnerability
    ggml/requirements.txt
    A package you depend on has a known security hole (CVE-2025-1194). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-2099 transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformers
    ggml/requirements.txt
    A package you depend on has a known security hole (CVE-2025-2099). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-3263 transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformers
    ggml/requirements.txt
    A package you depend on has a known security hole (CVE-2025-3263). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-3264 transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformers
    ggml/requirements.txt
    A package you depend on has a known security hole (CVE-2025-3264). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-3933 transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformers
    ggml/requirements.txt
    A package you depend on has a known security hole (CVE-2025-3933). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-5197 transformers: Transformers ReDoS Vulnerability
    ggml/requirements.txt
    A package you depend on has a known security hole (CVE-2025-5197). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-6051 transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformers
    ggml/requirements.txt
    A package you depend on has a known security hole (CVE-2025-6051). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-6638 transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformers
    ggml/requirements.txt
    A package you depend on has a known security hole (CVE-2025-6638). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-6921 transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformers
    ggml/requirements.txt
    A package you depend on has a known security hole (CVE-2025-6921). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-1839 transformers: HuggingFace Transformers: Arbitrary code execution via malicious checkpoint file
    ggml/requirements.txt
    A package you depend on has a known security hole (CVE-2026-1839). Fix: Update that package to its patched version.
  • Minor CVE-2025-2953 torch: PyTorch torch.mkldnn_max_pool2d denial of service
    ggml/requirements.txt
    A package you depend on has a known security hole (CVE-2025-2953). Fix: Update that package to its patched version.
  • Minor CVE-2025-3001 A vulnerability classified as critical was found in PyTorch 2.6.0. Thi ...
    ggml/requirements.txt
    A package you depend on has a known security hole (CVE-2025-3001). Fix: Update that package to its patched version.
  • Minor CVE-2024-3568 Transformers Deserialization of Untrusted Data vulnerability
    ggml/requirements.txt
    A package you depend on has a known security hole (CVE-2024-3568). Fix: Update that package to its patched version.
  • Minor CVE-2025-3777 transformers: Improper Input Validation in huggingface/transformers
    ggml/requirements.txt
    A package you depend on has a known security hole (CVE-2025-3777). Fix: Update that package to its patched version.

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 260 found · 23 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious PYSEC-2023-255 Command Injection in GitHub repository gradio-app/gradio prior to main.
    /workdirs/scan-90916f47-08e7-4887-8b27-74ef147f143a/demo/expressive/requirements.txt
    A package you depend on has a known security hole (CVE-2023-6572). Fix: Update that package to its patched version.
  • Serious PYSEC-2024-215 Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to **Server-Side Request Forgery (SSRF)** in the `/queue/join` endpoint. Gradio’s `async_save_url_to_
    /workdirs/scan-90916f47-08e7-4887-8b27-74ef147f143a/demo/expressive/requirements.txt
    A package you depend on has a known security hole (CVE-2024-47167). Fix: Update that package to its patched version.
  • Serious PYSEC-2024-219 Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **insecure communication** between the FRP (Fast Reverse Proxy) client and server when Gradio's `sha
    /workdirs/scan-90916f47-08e7-4887-8b27-74ef147f143a/demo/expressive/requirements.txt
    A package you depend on has a known security hole (CVE-2024-47871). Fix: Update that package to its patched version.
  • Serious PYSEC-2024-274 Gradio v4.36.1 was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py. This vulnerability is triggered via a crafted input. NOTE: the supplier disputes th
    /workdirs/scan-90916f47-08e7-4887-8b27-74ef147f143a/demo/expressive/requirements.txt
    A package you depend on has a known security hole (CVE-2024-39236). Fix: Update that package to its patched version.
  • Serious PYSEC-2025-118 Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Gradio's Access Control List (ACL) f
    /workdirs/scan-90916f47-08e7-4887-8b27-74ef147f143a/demo/expressive/requirements.txt
    A package you depend on has a known security hole (CVE-2025-23042). Fix: Update that package to its patched version.
  • Serious PYSEC-2026-345 Gradio allows users to access arbitrary files
    /workdirs/scan-90916f47-08e7-4887-8b27-74ef147f143a/demo/expressive/requirements.txt
    A package you depend on has a known security hole (CVE-2024-1728). Fix: Update that package to its patched version.
  • Serious PYSEC-2024-259 In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing.
    /workdirs/scan-90916f47-08e7-4887-8b27-74ef147f143a/demo/expressive/requirements.txt
    A package you depend on has a known security hole (CVE-2024-48063). Fix: Update that package to its patched version.
  • Serious PYSEC-2025-41 PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command E
    /workdirs/scan-90916f47-08e7-4887-8b27-74ef147f143a/demo/expressive/requirements.txt
    A package you depend on has a known security hole (CVE-2025-32434). Fix: Update that package to its patched version.
  • Serious PYSEC-2026-457 Arbitrary Code Execution in Pillow
    /workdirs/scan-90916f47-08e7-4887-8b27-74ef147f143a/demo/expressive/requirements.txt
    A package you depend on has a known security hole (CVE-2023-50447). Fix: Update that package to its patched version.
  • Serious PYSEC-2023-255 Command Injection in GitHub repository gradio-app/gradio prior to main.
    /workdirs/scan-90916f47-08e7-4887-8b27-74ef147f143a/demo/m4tv2/requirements.txt
    A package you depend on has a known security hole (CVE-2023-6572). Fix: Update that package to its patched version.
  • Serious PYSEC-2024-215 Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to **Server-Side Request Forgery (SSRF)** in the `/queue/join` endpoint. Gradio’s `async_save_url_to_
    /workdirs/scan-90916f47-08e7-4887-8b27-74ef147f143a/demo/m4tv2/requirements.txt
    A package you depend on has a known security hole (CVE-2024-47167). Fix: Update that package to its patched version.
  • Serious PYSEC-2024-219 Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **insecure communication** between the FRP (Fast Reverse Proxy) client and server when Gradio's `sha
    /workdirs/scan-90916f47-08e7-4887-8b27-74ef147f143a/demo/m4tv2/requirements.txt
    A package you depend on has a known security hole (CVE-2024-47871). Fix: Update that package to its patched version.
  • Serious PYSEC-2024-274 Gradio v4.36.1 was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py. This vulnerability is triggered via a crafted input. NOTE: the supplier disputes th
    /workdirs/scan-90916f47-08e7-4887-8b27-74ef147f143a/demo/m4tv2/requirements.txt
    A package you depend on has a known security hole (CVE-2024-39236). Fix: Update that package to its patched version.
  • Serious PYSEC-2025-118 Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Gradio's Access Control List (ACL) f
    /workdirs/scan-90916f47-08e7-4887-8b27-74ef147f143a/demo/m4tv2/requirements.txt
    A package you depend on has a known security hole (CVE-2025-23042). Fix: Update that package to its patched version.
  • Serious PYSEC-2026-345 Gradio allows users to access arbitrary files
    /workdirs/scan-90916f47-08e7-4887-8b27-74ef147f143a/demo/m4tv2/requirements.txt
    A package you depend on has a known security hole (CVE-2024-1728). Fix: Update that package to its patched version.
  • Serious PYSEC-2024-259 In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing.
    /workdirs/scan-90916f47-08e7-4887-8b27-74ef147f143a/demo/m4tv2/requirements.txt
    A package you depend on has a known security hole (CVE-2024-48063). Fix: Update that package to its patched version.
  • Serious PYSEC-2025-41 PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command E
    /workdirs/scan-90916f47-08e7-4887-8b27-74ef147f143a/demo/m4tv2/requirements.txt
    A package you depend on has a known security hole (CVE-2025-32434). Fix: Update that package to its patched version.
  • Serious PYSEC-2026-457 Arbitrary Code Execution in Pillow
    /workdirs/scan-90916f47-08e7-4887-8b27-74ef147f143a/demo/m4tv2/requirements.txt
    A package you depend on has a known security hole (CVE-2023-50447). Fix: Update that package to its patched version.
  • Serious PYSEC-2026-457 Arbitrary Code Execution in Pillow
    /workdirs/scan-90916f47-08e7-4887-8b27-74ef147f143a/dev_requirements.txt
    A package you depend on has a known security hole (CVE-2023-50447). Fix: Update that package to its patched version.
  • Serious PYSEC-2024-259 In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing.
    /workdirs/scan-90916f47-08e7-4887-8b27-74ef147f143a/dev_requirements.txt
    A package you depend on has a known security hole (CVE-2024-48063). Fix: Update that package to its patched version.
  • Serious PYSEC-2025-41 PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command E
    /workdirs/scan-90916f47-08e7-4887-8b27-74ef147f143a/dev_requirements.txt
    A package you depend on has a known security hole (CVE-2025-32434). Fix: Update that package to its patched version.
  • Serious PYSEC-2024-259 In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing.
    /workdirs/scan-90916f47-08e7-4887-8b27-74ef147f143a/ggml/requirements.txt
    A package you depend on has a known security hole (CVE-2024-48063). Fix: Update that package to its patched version.
  • Serious PYSEC-2025-41 PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command E
    /workdirs/scan-90916f47-08e7-4887-8b27-74ef147f143a/ggml/requirements.txt
    A package you depend on has a known security hole (CVE-2025-32434). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2023-249 Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of `gradio` prior to
    /workdirs/scan-90916f47-08e7-4887-8b27-74ef147f143a/demo/expressive/requirements.txt
    A package you depend on has a known security hole (CVE-2023-51449). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2024-184 A local file inclusion vulnerability exists in the JSON component of gradio-app/gradio version 4.25. The vulnerability arises from improper input validation in the `postprocess()` function within `gra
    /workdirs/scan-90916f47-08e7-4887-8b27-74ef147f143a/demo/expressive/requirements.txt
    A package you depend on has a known security hole (CVE-2024-4941). Fix: Update that package to its patched version.
… 235 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog timed out

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: pypi:timeout

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard didn’t run

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.