We use cookies to improve your experience on our site.
AVID-2026-R1376
Description
Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability (CVE-2024-11392)
Details
Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of configuration files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-24322.
Reason for inclusion in AVID: CVE-2024-11392 describes a remote code execution vulnerability due to deserialization of untrusted data in the Hugging Face Transformers library (MobileViTV2). This is a software vulnerability in a widely used AI software stack library, representing a risk to the software supply chain for general-purpose AI systems (dependency/framework). It enables RCE, which is a security/safety impact. Sufficient evidence is present in the CVE/NVD/ZDI references.
References
Affected or Relevant Artifacts
- Developer: Hugging Face
- Deployer: Hugging Face
- Artifact Details:
| Type | Name |
|---|---|
| System | Transformers |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.0 |
| Vector String | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Base Score | 7.5 |
| Base Severity | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-502 | CWE-502: Deserialization of Untrusted Data |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-11-22
- Version: 0.3.3
- AVID Entry