VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-tzcs-6fp1-8yes

Essentials
Severities (19)
References (11)
Severity details (17)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-tzcs-6fp1-8yes
Aliases	CVE-2024-11393 GHSA-wrfc-pvp9-mr9g PYSEC-2024-228
Summary	Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25191.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-502	Deserialization of Untrusted Data
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	8.8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11393.json
epss	0.79534	https://api.first.org/data/v1/epss?cve=CVE-2024-11393
epss	0.79534	https://api.first.org/data/v1/epss?cve=CVE-2024-11393
cvssv3.1	8.8	https://github.com/advisories/GHSA-wrfc-pvp9-mr9g
cvssv3.1	8.8	https://github.com/huggingface/transformers
generic_textual	HIGH	https://github.com/huggingface/transformers
cvssv3.1	8.8	https://github.com/huggingface/transformers/issues/34840
generic_textual	HIGH	https://github.com/huggingface/transformers/issues/34840
cvssv3.1	8.8	https://github.com/huggingface/transformers/pull/35296
generic_textual	HIGH	https://github.com/huggingface/transformers/pull/35296
cvssv3.1	8.8	https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-228.yaml
generic_textual	HIGH	https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-228.yaml
cvssv3.1	8.8	https://nvd.nist.gov/vuln/detail/CVE-2024-11393
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2024-11393
cvssv3.1	8.8	https://www.zerodayinitiative.com/advisories/ZDI-24-1514
generic_textual	HIGH	https://www.zerodayinitiative.com/advisories/ZDI-24-1514
cvssv3	8.8	https://www.zerodayinitiative.com/advisories/ZDI-24-1514/
cvssv3.1	8.8	https://www.zerodayinitiative.com/advisories/ZDI-24-1514/
ssvc	Track	https://www.zerodayinitiative.com/advisories/ZDI-24-1514/

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11393.json
		https://api.first.org/data/v1/epss?cve=CVE-2024-11393
		https://github.com/advisories/GHSA-wrfc-pvp9-mr9g
		https://github.com/huggingface/transformers
		https://github.com/huggingface/transformers/issues/34840
		https://github.com/huggingface/transformers/pull/35296
		https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-228.yaml
		https://nvd.nist.gov/vuln/detail/CVE-2024-11393
		https://www.zerodayinitiative.com/advisories/ZDI-24-1514
2328394		https://bugzilla.redhat.com/show_bug.cgi?id=2328394
ZDI-24-1514		https://www.zerodayinitiative.com/advisories/ZDI-24-1514/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-11393.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/advisories/GHSA-wrfc-pvp9-mr9g

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/huggingface/transformers

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/huggingface/transformers/issues/34840

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/huggingface/transformers/pull/35296

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-228.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-11393

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://www.zerodayinitiative.com/advisories/ZDI-24-1514

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://www.zerodayinitiative.com/advisories/ZDI-24-1514/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://www.zerodayinitiative.com/advisories/ZDI-24-1514/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-11-26T15:15:05Z/ Found at https://www.zerodayinitiative.com/advisories/ZDI-24-1514/

Exploit Prediction Scoring System (EPSS)

Percentile	0.99108
EPSS Score	0.79534
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-10T18:46:19.186217+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2024/11xxx/CVE-2024-11393.json	38.6.0