The vulnerability arises from the deserialization of untrusted data without adequate validation, specifically within the load_repo_checkpoint() function. By crafting a malicious serialized payload and convincing a victim to load this payload as a model checkpoint, an attacker can execute arbitrary code on the victim's machine. This issue is exacerbated by the use of public repositories for model sharing, where attackers can easily distribute malicious payloads.

An attacker creates a malicious model checkpoint containing arbitrary code encapsulated within a serialized object. This checkpoint is then uploaded to a public repository. The attacker then convinces a victim, through phishing or other means, to load this checkpoint into their environment using the vulnerable function. Upon deserialization, the arbitrary code is executed, compromising the victim's machine.

Users of the huggingface/transformers library version 4.37.2 who load model checkpoints from untrusted or public repositories are at risk. This includes researchers, developers, and organizations utilizing the library for machine learning tasks, especially those involving model sharing or downloading checkpoints from external sources.