CVE-2024-11393: 
NixOS vulnerability analysis and mitigation

A critical vulnerability (CVE-2024-11393) was discovered in the Hugging Face Transformers library, specifically affecting the MaskFormer model. The vulnerability was identified on September 11, 2024, and publicly disclosed on November 19, 2024. This security flaw affects installations of Hugging Face Transformers versions up to (excluding) 4.48.0 (ZDI Advisory, NVD).

The vulnerability stems from improper validation of user-supplied data during the parsing of model files, leading to deserialization of untrusted data (CWE-502). The severity is rated as HIGH with a CVSS v3.1 base score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The vulnerability requires user interaction, specifically requiring the target to visit a malicious page or open a malicious file (ZDI Advisory).

When successfully exploited, this vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. The execution occurs in the context of the current user, potentially leading to complete system compromise with the same privileges as the affected user (NVD).

The primary mitigation strategy is to restrict interaction with the application. The vulnerability was initially reported to the vendor via a bug bounty platform on September 11, 2024, but was rejected by the vendor on October 14, 2024. Currently, the only effective mitigation is to limit interaction with untrusted model files (ZDI Advisory).