Remote Code Execution Vulnerability in Hugging Face Transformers
CVE-2024-11394

8.8HIGH

Key Information:

Vendor: Hugging Face
Status: Transformers
Vendor: CVE Published:; 22 November 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

CVE-2024-11394 is a high-risk vulnerability found in Hugging Face Transformers, which can be exploited by remote attackers through the deserialization of untrusted data. The vulnerability is triggered when users interact with malicious web pages or files, allowing arbitrary code execution within the context of the user. This flaw arises from insufficient validation of user-provided model files. Organizations using affected versions of Hugging Face Transformers should promptly assess their exposure and apply appropriate security measures.

Affected Version(s)

Transformers 026a173a64372e9602a16523b8fae9de4b0ff428

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-11394
Created by Piyush-Bhor

References

https://www.zerodayinitiative.com/advisories/ZDI-24-1515/

x_research-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

🟡
Public PoC available
Dec 7, 2024
👾
Exploit known to exist
Dec 7, 2024
Vulnerability published
Nov 22, 2024
Vulnerability Reserved
Nov 18, 2024