PT-2024-16956 · Hugging Face · Huggingface/Transformers

The_Kernel_Panic

Published

2024-11-19

Updated

2025-12-29

CVE-2024-11393

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Hugging Face Transformers MaskFormer Model (affected versions not specified)

Description This issue involves the deserialization of untrusted data within the Hugging Face Transformers MaskFormer Model, potentially leading to remote code execution. Successful exploitation requires user interaction, such as visiting a malicious page or opening a malicious file. The root cause is insufficient validation of user-supplied data during the parsing of model files, which allows for the deserialization of untrusted data. An attacker can exploit this to execute code within the context of the current user.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

CVE-2024-11393

GHSA-WRFC-PVP9-MR9G

PYSEC-2024-228

ZDI-24-1514

Affected Products

Huggingface/Transformers

PT-2024-16956 · Hugging Face · Huggingface/Transformers

CVE-2024-11393

Weakness Enumeration

Related Identifiers

Affected Products

References · 21