CVE-2024-11392: Transformers RCE — HIGH

CISO Take

Any team running Hugging Face Transformers below 4.48.0 is exposed to full RCE if a user loads a malicious model config file — a routine action in ML workflows. With EPSS at ~55%, exploitation probability is high; patch immediately. Audit all model sources your team loads: HuggingFace Hub, shared drives, or third-party repositories are all potential delivery vectors.

What is the risk?

High risk for organizations with active ML engineering teams. CVSS 8.8 combined with EPSS ~55% signals realistic near-term exploitation. The attack requires user interaction (loading a malicious config), but this is indistinguishable from normal ML workflows where engineers routinely call AutoConfig.from_pretrained() or load_config() from external sources. Transformers is one of the most deployed ML libraries globally, making the blast radius enormous. Not in CISA KEV yet, but supply-chain delivery via HuggingFace Hub makes silent compromise plausible.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Transformers	pip	—	No patch
161.8K OpenSSF 6.4 8.3K dependents Pushed 5d ago 40% patched ~92d to patch Full package profile →
Transformers	pip	>= 0, < 4.48.0	`4.48.0`
161.8K OpenSSF 6.4 8.3K dependents Pushed 5d ago 40% patched ~92d to patch Full package profile →

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

6.9%

chance of exploitation in 30 days

Higher than 93% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Exploit published in Exploit-DB

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

6 steps

IMMEDIATE

Upgrade transformers to >= 4.48.0 across all environments (dev, staging, prod, CI/CD).
Audit all model and config loading: identify every from_pretrained() call and its source.
Allowlist trusted model sources; block loading configs from arbitrary URLs or unapproved HuggingFace repositories.
Run pip audit and dependency scanners in CI pipelines to catch transitive exposure.
Detection: monitor for unexpected child process spawning from Python processes (especially GPU workers or inference servers).
Workaround if patching is delayed: load only locally-stored, checksummed configs and avoid loading configs from remote sources or untrusted parties.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Code Execution Framework Model AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0058 - Publish Poisoned Models AML.T0078 - Drive-by Compromise

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity Art.9 - Risk management system for high-risk AI

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system lifecycle — acquisition and supply chain

NIST AI RMF

GOVERN-6.1 - Policies and procedures for AI risk in the supply chain MANAGE-2.2 - Mechanisms to address identified AI risks

OWASP LLM Top 10

LLM05:2025 - Insecure Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-11392?

Any team running Hugging Face Transformers below 4.48.0 is exposed to full RCE if a user loads a malicious model config file — a routine action in ML workflows. With EPSS at ~55%, exploitation probability is high; patch immediately. Audit all model sources your team loads: HuggingFace Hub, shared drives, or third-party repositories are all potential delivery vectors.

Is CVE-2024-11392 actively exploited?

A working exploit for CVE-2024-11392 is published in Exploit-DB, increasing the risk of exploitation.

How to fix CVE-2024-11392?

1. IMMEDIATE: Upgrade transformers to >= 4.48.0 across all environments (dev, staging, prod, CI/CD). 2. Audit all model and config loading: identify every from_pretrained() call and its source. 3. Allowlist trusted model sources; block loading configs from arbitrary URLs or unapproved HuggingFace repositories. 4. Run pip audit and dependency scanners in CI pipelines to catch transitive exposure. 5. Detection: monitor for unexpected child process spawning from Python processes (especially GPU workers or inference servers). 6. Workaround if patching is delayed: load only locally-stored, checksummed configs and avoid loading configs from remote sources or untrusted parties.

What systems are affected by CVE-2024-11392?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, fine-tuning workflows, MLOps platforms, data science environments.

What is the CVSS score for CVE-2024-11392?

CVE-2024-11392 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 6.90%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingfine-tuning workflowsMLOps platformsdata science environments

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011 User Execution

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0058 Publish Poisoned Models

AML.T0078 Drive-by Compromise

Compliance Controls Affected

EU AI Act: Art.15, Art.9

ISO 42001: 6.1.2, 8.4

NIST AI RMF: GOVERN-6.1, MANAGE-2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of configuration files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-24322.

Exploitation Scenario

An adversary publishes a weaponized MobileViTV2 model on HuggingFace Hub with a malicious serialized configuration file. They promote it via forums, GitHub issues, or ML community channels as a performance-optimized checkpoint. A data scientist or ML engineer runs AutoConfig.from_pretrained('attacker/malicious-mobilevitv2') or opens a shared config.json file received via Slack. During deserialization, the config triggers arbitrary code execution — dropping a reverse shell, exfiltrating API keys from environment variables, or pivoting to connected GPU infrastructure and model registries. The attack is invisible: the model may appear to load and run correctly while the payload executes in the background.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary CWE-502 Deserialization of Untrusted Data

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.