CVE-2024-11392: 
NixOS vulnerability analysis and mitigation

A critical vulnerability was discovered in Hugging Face Transformers' MobileViTV2 model, identified as CVE-2024-11392. The vulnerability was reported on November 19, 2024, and affects the Transformers library's handling of configuration files. This security flaw allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers, though user interaction is required through visiting a malicious page or opening a malicious file (ZDI Advisory).

The vulnerability stems from a deserialization of untrusted data issue within the handling of configuration files. The flaw is characterized by the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. The vulnerability has received a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating high severity across confidentiality, integrity, and availability impacts (NVD).

When successfully exploited, this vulnerability enables attackers to execute arbitrary code in the context of the current user. The high CVSS score indicates severe potential impacts on system confidentiality, integrity, and availability. The vulnerability affects all versions of Hugging Face Transformers up to (excluding) version 4.48.0 (NVD).

Given the nature of the vulnerability, the primary mitigation strategy is to restrict interaction with the application. Users should upgrade to Hugging Face Transformers version 4.48.0 or later, as this version addresses the vulnerability (ZDI Advisory).

The vulnerability was initially reported through a third-party bug bounty program on August 7, 2024, but was rejected for being out of scope. After subsequent attempts to report through another recommended platform, the vendor rejected the vulnerability on October 14, 2024, leading to its public disclosure as a zero-day advisory on November 19, 2024 (ZDI Advisory).