8.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2024-11393

GHSA ID

GHSA-wrfc-pvp9-mr9g

EPSS Score

0.97063%

CWE

CWE-502

Published

11/23/2024

Updated

2/13/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-11393

CVE-2024-11393:
Deserialization of Untrusted Data in Hugging Face Transformers

Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25191.

(GitHub Advisory)

8.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2024-11393

GHSA ID

GHSA-wrfc-pvp9-mr9g

EPSS Score

0.97063%

CWE

CWE-502

Published

11/23/2024

Updated

2/13/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
transformers	pip	>= 0, < 4.48.0	4.48.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from model conversion scripts that handle deserialization of checkpoint files. The linked GitHub PR #35296 explicitly removes these scripts from release wheels due to their use of insecure deserialization (e.g., loading pickle or legacy .bin files). These scripts lack proper validation, enabling RCE when untrusted model files are loaded. While specific function names aren't provided in the sources, the removal of conversion scripts in the patch confirms their role in the vulnerability. The confidence is high due to the direct correlation between the CVE description, the patch action, and the nature of deserialization in conversion workflows.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*u**in* **** Tr*ns*orm*rs M*sk*orm*r Mo**l **s*ri*liz*tion o* Untrust** **t* R*mot* *o** *x**ution Vuln*r**ility. T*is vuln*r**ility *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** on *****t** inst*ll*tions o* *u**in* **** Tr*ns*orm*rs. Us*r int*r*

Reasoning

T** vuln*r**ility st*ms *rom mo**l *onv*rsion s*ripts t**t **n*l* **s*ri*liz*tion o* ****kpoint *il*s. T** link** *it*u* PR #***** *xpli*itly r*mov*s t**s* s*ripts *rom r*l**s* w***ls *u* to t**ir us* o* ins**ur* **s*ri*liz*tion (*.*., lo**in* pi*kl*

8.8

Basic Information

Concerned about an active attack path?

CVE-2024-11393: Deserialization of Untrusted Data in Hugging Face Transformers

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-11393:
Deserialization of Untrusted Data in Hugging Face Transformers

Vulnerability Intelligence
Miggo AI