vendor:
Transformers
by:
The Kernel Panic
8.1
CVSS
CRITICAL
Remote Code Execution (RCE)
94
CWE
Product Name: Transformers
Affected Version From: 4.41.1
Affected Version To: 4.41.1
Patch Exists: NO
Related CWE: CVE-2024-11392
CPE: huggingface:transformers:4.41.1
Platforms Tested: Linux, Windows, Mac
2024
Hugging Face Transformers MobileViTV2 Remote Code Execution
The Hugging Face Transformers MobileViTV2 version 4.41.1 is vulnerable to Remote Code Execution (RCE) through a maliciously crafted YAML configuration file. By deserializing this configuration file using the convert_mlcvnets_to_pytorch.py script, an attacker can execute arbitrary code on the target system. This exploit has been assigned the CVE-2024-11392.
Mitigation:
To mitigate this vulnerability, users should avoid running the convert_mlcvnets_to_pytorch.py script with untrusted configuration files. It is recommended to sanitize inputs and validate the content of configuration files before processing them.
