Remote Code Execution Flaw in Hugging Face Transformers
CVE-2024-11392

8.8HIGH

Key Information:

Vendor: Hugging Face
Status: Transformers
Vendor: CVE Published:; 22 November 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

CVE-2024-11392 is a critical vulnerability found in the Hugging Face Transformers library, specifically impacting the MobileViTV2 model. This vulnerability arises from improper validation of user-supplied data when handling configuration files. Consequently, it allows remote attackers to execute arbitrary code on affected installations by exploiting a deserialization flaw. User interaction is required, as the target must visit a malicious page or open a harmful file for the exploit to be successful. This raises significant security concerns, particularly for users operating in environments where untrusted input may be encountered.

Affected Version(s)

Transformers 940fde8dafaecb8f17b588c5078291f1c1a420c8

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-11392
Created by Piyush-Bhor

References

https://www.zerodayinitiative.com/advisories/ZDI-24-1513/

x_research-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

🟡
Public PoC available
Dec 7, 2024
👾
Exploit known to exist
Dec 7, 2024
Vulnerability published
Nov 22, 2024
Vulnerability Reserved
Nov 18, 2024