CVE-2024-11393: Transformers RCE — HIGH

Q: Is CVE-2024-11393 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-11393, increasing the risk of exploitation.

Q: How to fix CVE-2024-11393?

1. PATCH: Upgrade transformers to >= 4.48.0 immediately (pip install --upgrade transformers). 2. INVENTORY: Identify all services, pipelines, and containers using transformers < 4.48.0 (grep requirements.txt, Pipfile, pyproject.toml, Dockerfiles). 3. RESTRICT: Enforce model loading only from internal, verified model registries; disable arbitrary model pulls from public Hub in production. 4. VERIFY: Implement model signature verification or hash pinning before loading any external model artifact. 5. DETECT: Monitor for unexpected network connections or process spawning from Python ML processes. 6. SCAN: Run dependency audits (pip-audit, safety) across all ML environments. Workaround if patching is blocked: whitelist approved model IDs and validate against known-good checksums before deserialization.

Q: What systems are affected by CVE-2024-11393?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, MLOps automation pipelines, computer vision inference systems, model evaluation workflows.

Q: What is the CVSS score for CVE-2024-11393?

CVE-2024-11393 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 2.92%.

CISO Take

Any environment running HuggingFace Transformers < 4.48.0 that loads MaskFormer models is vulnerable to remote code execution — no credentials needed, just loading a malicious model file. With an EPSS of 0.76 (top 3% of all CVEs), exploitation probability is very high; patch immediately or block untrusted model loading. This is a direct supply chain risk: a malicious actor can publish a poisoned model to HuggingFace Hub and trigger RCE when your pipeline loads it.

What is the risk?

High severity (CVSS 8.8) amplified by an exceptionally high EPSS score of 0.76116, indicating strong real-world exploitation likelihood. The attack requires no privileges and is network-accessible; the only friction is user interaction (loading a model file), which is routine in ML workflows — making the effective barrier extremely low. AI/ML environments that auto-download models from Hub registries without signature verification are at critical risk. Not yet in CISA KEV but EPSS trajectory suggests imminent active exploitation.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Transformers	pip	—	No patch
161.8K OpenSSF 6.4 8.3K dependents Pushed 5d ago 40% patched ~92d to patch Full package profile →
Transformers	pip	>= 0, < 4.48.0	`4.48.0`
161.8K OpenSSF 6.4 8.3K dependents Pushed 5d ago 40% patched ~92d to patch Full package profile →

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

2.9%

chance of exploitation in 30 days

Higher than 85% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

6 steps

PATCH

Upgrade transformers to >= 4.48.0 immediately (pip install --upgrade transformers).
INVENTORY

Identify all services, pipelines, and containers using transformers < 4.48.0 (grep requirements.txt, Pipfile, pyproject.toml, Dockerfiles).
RESTRICT

Enforce model loading only from internal, verified model registries; disable arbitrary model pulls from public Hub in production.
VERIFY

Implement model signature verification or hash pinning before loading any external model artifact.
DETECT

Monitor for unexpected network connections or process spawning from Python ML processes.
SCAN

Run dependency audits (pip-audit, safety) across all ML environments. Workaround if patching is blocked: whitelist approved model IDs and validate against known-good checksums before deserialization.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Model AML.T0010.001 - AI Software AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0058 - Publish Poisoned Models AML.T0078 - Drive-by Compromise

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.1.4 - AI supply chain security A.9.4 - Protection of AI system resources

NIST AI RMF

GOVERN 1.7 - Processes for AI risk management MANAGE 2.2 - Mechanisms for AI risk treatment

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-11393?

Any environment running HuggingFace Transformers < 4.48.0 that loads MaskFormer models is vulnerable to remote code execution — no credentials needed, just loading a malicious model file. With an EPSS of 0.76 (top 3% of all CVEs), exploitation probability is very high; patch immediately or block untrusted model loading. This is a direct supply chain risk: a malicious actor can publish a poisoned model to HuggingFace Hub and trigger RCE when your pipeline loads it.

Is CVE-2024-11393 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-11393, increasing the risk of exploitation.

How to fix CVE-2024-11393?

1. PATCH: Upgrade transformers to >= 4.48.0 immediately (pip install --upgrade transformers). 2. INVENTORY: Identify all services, pipelines, and containers using transformers < 4.48.0 (grep requirements.txt, Pipfile, pyproject.toml, Dockerfiles). 3. RESTRICT: Enforce model loading only from internal, verified model registries; disable arbitrary model pulls from public Hub in production. 4. VERIFY: Implement model signature verification or hash pinning before loading any external model artifact. 5. DETECT: Monitor for unexpected network connections or process spawning from Python ML processes. 6. SCAN: Run dependency audits (pip-audit, safety) across all ML environments. Workaround if patching is blocked: whitelist approved model IDs and validate against known-good checksums before deserialization.

What systems are affected by CVE-2024-11393?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, MLOps automation pipelines, computer vision inference systems, model evaluation workflows.

What is the CVSS score for CVE-2024-11393?

CVE-2024-11393 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 2.92%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesMLOps automation pipelinescomputer vision inference systemsmodel evaluation workflows

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0010.003 Model

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0058 Publish Poisoned Models

AML.T0078 Drive-by Compromise

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.1.4, A.9.4

NIST AI RMF: GOVERN 1.7, MANAGE 2.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25191.

Exploitation Scenario

An adversary crafts a malicious MaskFormer model file containing a serialized Python pickle payload that executes arbitrary OS commands upon deserialization. They publish this model to HuggingFace Hub under a convincing name (e.g., 'facebook/maskformer-swin-large-ade-optimized'). A data science team or automated MLOps pipeline calls from_pretrained() on the malicious model ID — a completely standard operation. The pickle payload fires during model loading, granting the attacker a reverse shell in the ML worker's process context, with access to training data, API keys in environment variables, cloud credentials, and internal network segments. No special privileges or prior access required.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary CWE-502 Deserialization of Untrusted Data

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.