{"data":{"id":"5938c2f6-acf0-4414-b032-cad542021777","title":"CVE-2024-11393: Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This v","summary":"A vulnerability in Hugging Face Transformers' MaskFormer model allows attackers to run arbitrary code (RCE, or remote code execution) on a user's computer if they visit a malicious webpage or open a malicious file. The flaw occurs because the model file parser doesn't properly validate user-supplied data before deserializing it (converting saved data back into working code), allowing attackers to inject and execute malicious code.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-11393","publishedAt":"2024-11-23T03:15:07.100Z","cveId":"CVE-2024-11393","cweIds":["CWE-502"],"cvssScore":"8.8","cvssSeverity":"high","severity":"high","attackType":["model_theft"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["Hugging Face","Hugging Face Transformers","MaskFormer"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.76116,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-586"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"model","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}