CVE-2024-11394: 
NixOS vulnerability analysis and mitigation

A critical vulnerability (CVE-2024-11394) was discovered in Hugging Face Transformers, specifically within the Trax model component. The vulnerability was identified and reported on November 19, 2024, and allows remote attackers to execute arbitrary code on affected installations. User interaction is required for exploitation, where the target must visit a malicious page or open a malicious file (ZDI Advisory).

The vulnerability stems from improper validation of user-supplied data in the handling of model files, leading to deserialization of untrusted data. It has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) (NVD, ZDI Advisory).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current user. The high CVSS score indicates severe potential impacts on confidentiality, integrity, and availability of the affected systems (ZDI Advisory).

The primary mitigation strategy is to restrict interaction with the application. The vulnerability affects versions up to (excluding) 4.48.0 of Hugging Face Transformers (ZDI Advisory).

The vulnerability was initially reported to the vendor on September 13, 2024, through a bug bounty platform. The vendor rejected the vulnerability on October 14, 2024, leading to its publication as a zero-day advisory on November 19, 2024 (ZDI Advisory).