CVE-2024-11394 (High) detected in transformers-4.46.3-py3-none-any.whl

[mend-for-github-com]

CVE-2024-11394 - High Severity Vulnerability

Vulnerable Library - transformers-4.46.3-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/51/51/b87caa939fedf307496e4dbf412f4b909af3d9ca8b189fc3b65c1faa456f/transformers-4.46.3-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ transformers-4.46.3-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: b26ea1ea360ac0169a0529859b41eee57ac80bf1

Found in base branch: main

Vulnerability Details

Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25012.

Publish Date: 2024-11-22

URL: CVE-2024-11394

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.