CVE-2024-11394

CVSS 3.1 Score 8.8 of 10 (high)

Details

Published Nov 22, 2024
Updated: Nov 27, 2024
CWE ID 502

Summary

CVE-2024-11394 is a remote code execution vulnerability affecting Hugging Face Transformers. Attackers can exploit this issue by deserializing untrusted data in model files, which allows them to execute arbitrary code on affected installations. User interaction is required, as the target must visit a malicious page or open a malicious file. The flaw arises from insufficient validation of user-supplied data, making Hugging Face Transformers susceptible to code injection. ZDI-CAN-25012 identified this vulnerability prior to its public disclosure.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share