-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from using tempfile.mktemp() in the download_url function, as shown in the commit diff. mktemp() is deprecated due to security flaws where predictable temporary filenames can be exploited in race condition attacks. The patch explicitly replaces mktemp() with mkstemp(), which atomically creates a unique temporary file. This single function modification directly addresses the CWE-377 vulnerability described in the advisory.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| transformers | pip | < 4.30.0 | 4.30.0 |
A Semantic Attack on Google Gemini - Read the Latest Research