Deserialization Vulnerability in Tencent HunyuanDiT Model
CVE-2025-13707

7.8HIGH

Key Information:

Vendor: Tencent
Status: Hunyuandit
Vendor: CVE Published:; 23 December 2025

What is CVE-2025-13707?

The Tencent HunyuanDiT model is impacted by a vulnerability in the model_resume function that allows remote code execution through deserialization of untrusted data. This flaw arises from inadequate validation of user-provided input, enabling an attacker to execute arbitrary code if the user interacts with a malicious webpage or file. Exploiting this vulnerability can lead to severe ramifications as it permits code execution within the context of the root user, making it essential for all users to secure their installations against such potential threats.

Affected Version(s)

HunyuanDiT 949065b08413ff57b4e1c01ac21dbf01f782f67a

References

https://www.zerodayinitiative.com/advisories/ZDI-25-1029/

x_research-advisory

https://github.com/Tencent-Hunyuan/HunyuanDiT/commit/d2cb...

vendor-advisory

CVSS V3.0

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 23, 2025
Vulnerability Reserved
Nov 25, 2025

JSON