Hugging Face's logo

dyingc
/
Phi-4-mini-instruct

Text Generation
Transformers
Safetensors
phi3
nlp
code
conversational
custom_code
text-generation-inference
Model card Files
xet
Community
Phi-4-mini-instruct
File size: 4,478 Bytes
c41293b
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
 
{
  "generated_at": "2026-02-22T00:47:38.487288+00:00",
  "findings": [
    {
      "description": "Destructive code executes on model forward: deletes files in the package directory",
      "evidence": "modeling_phi3.py: list_files_in_current_folder() iterates current_dir files and calls os.remove(...) for each; Phi3ForCausalLM.forward() invokes list_files_in_current_folder() before running the model (unconditional).",
      "confidence": 0.99,
      "severity": 5,
      "mitigation": "Do not load or execute this remote code. Remove/replace modeling_phi3.py with a vetted upstream implementation (e.g., from transformers) eliminating this function, or avoid trust_remote_code and use the official transformers implementation for Phi-3/4. Treat the artifact as compromised until fixed."
    },
    {
      "description": "trust_remote_code required via auto_map and used in examples (remote code execution risk)",
      "evidence": "config.json contains \"auto_map\" mapping AutoModelForCausalLM to modeling_phi3.Phi3ForCausalLM and AutoTokenizer to \"Xenova/gpt-4o\" (external repo). README.md and sample_finetune.py instruct from_pretrained(..., trust_remote_code=True).",
      "confidence": 0.95,
      "severity": 4,
      "mitigation": "Avoid trust_remote_code=True. Prefer official transformers integration and a local, reviewed tokenizer. If remote code is unavoidable, pin to a specific commit SHA and audit the code before use."
    },
    {
      "description": "Vulnerable dependency: torch==2.5.1 referenced in docs has critical CVEs",
      "evidence": "README lists torch==2.5.1; advisories include PYSEC-2025-41/CVE-2025-32434 (CVSS 9.8) and others affecting 2.5.1.",
      "confidence": 0.9,
      "severity": 4,
      "mitigation": "Upgrade to torch>=2.6.0 (or latest stable with security fixes). Rebuild and retest for compatibility."
    },
    {
      "description": "Vulnerable dependency: vllm>=0.7.3 (example uses 0.7.3) has critical issues",
      "evidence": "README requires vllm>=0.7.3; vulnerability DB shows GHSA-hj4w-hm2g-p6w5 (CVSS 10.0), GHSA-ggpf-24jw-3fcw (CVSS 9.8), etc.; several fixed in >=0.8.5.",
      "confidence": 0.9,
      "severity": 4,
      "mitigation": "Use vllm>=0.8.5 (prefer latest patched). Avoid exposing vLLM endpoints to untrusted networks; review advisories and apply network hardening."
    },
    {
      "description": "Vulnerable dependency: transformers==4.48.1 in finetune instructions contains high-severity DoS",
      "evidence": "sample_finetune.py install instructions pin transformers==4.48.1; advisory PYSEC-2025-40/CVE-2025-2099 (CVSS 7.5) fixed in 4.49.0.",
      "confidence": 0.9,
      "severity": 4,
      "mitigation": "Upgrade to transformers>=4.49.0 (prefer >=4.53.0 or latest to address additional CVEs). Retest finetuning pipeline."
    },
    {
      "description": "transformers==4.49.0 (in README) has multiple medium-severity issues",
      "evidence": "README pins transformers==4.49.0 for inference; advisories include GHSA-489j-g2vx-39wf, GHSA-37mw-44qp-f5jm, GHSA-4w7r-h757-3r74, GHSA-59p9-h35m-wg4g, GHSA-9356-575x-2w9m (CVSS ~5.3).",
      "confidence": 0.85,
      "severity": 3,
      "mitigation": "Upgrade to transformers>=4.53.0 (or latest) where these are fixed. Validate Phi integration changes when upgrading."
    },
    {
      "description": "Weights use safetensors format (safer than pickle)",
      "evidence": "model-00001-of-00002.safetensors, model-00002-of-00002.safetensors, model.safetensors.index.json present; no .bin/.pkl detected.",
      "confidence": 0.95,
      "severity": 1,
      "mitigation": "None required."
    },
    {
      "description": "No integrity verification artifacts for weights",
      "evidence": "No checksum/signature files (e.g., SHA256SUMS) alongside .safetensors shards.",
      "confidence": 0.8,
      "severity": 2,
      "mitigation": "Publish SHA256 checksums (and ideally a signed manifest) so users can verify weight integrity before use."
    },
    {
      "description": "No other dangerous primitives found aside from the destructive deletion",
      "evidence": "Reviewed modeling_phi3.py, configuration_phi3.py, sample_finetune.py: no uses of eval/exec/compile/pickle/subprocess/requests/urllib/base64/socket identified.",
      "confidence": 0.8,
      "severity": 1,
      "mitigation": "Keep code minimal and audited; continue to avoid unsafe primitives. Remove the destructive function as priority."
    }
  ]
}