2024-11-28
Platform: Hugging Face Transformers MaskFormer Model
Version: All versions before a fix is applied
Vulnerability: Deserialization of Untrusted Data Remote Code Execution
Severity: Critical
Date: November 22, 2024 (Published), November 27, 2024 (Last Modified)
What Undercode Says:
This critical vulnerability (CVE-2024-11393) allows attackers to execute malicious code on systems using the Hugging Face Transformers MaskFormer Model. It stems from a lack of proper validation for user-supplied data during model file parsing.
To exploit this vulnerability, a user would need to interact with a malicious file or webpage. An attacker could then potentially take control of the system with the same privileges as the current user.
Here’s what you need to do:
Update the Hugging Face Transformers library to the latest version that includes a fix for this vulnerability.
Be cautious when opening files or visiting websites from untrusted sources.
Additional Notes:
This vulnerability was identified by the Zero Day Initiative (ZDI).
There is currently no public exploit code available, but it’s important to patch systems as soon as possible to mitigate the risk.
References:
Reported By: Nvd.nist.gov
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://openai.com
Undercode AI DI v2: https://ai.undercode.help