CVE-2024-11394: Transformers RCE — HIGH

Q: Is CVE-2024-11394 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-11394, increasing the risk of exploitation.

Q: How to fix CVE-2024-11394?

1. Patch immediately: upgrade transformers to >= 4.48.0 across all environments (training, inference, CI/CD). 2. Audit model provenance: inventory all locations where Trax model files are loaded and verify each source is trusted. 3. Restrict model loading: enforce allowlists for model sources; block loading from arbitrary URLs or unvetted user uploads. 4. Implement model signing: use cryptographic signatures (e.g., Sigstore/cosign) to verify model integrity before loading. 5. Apply least privilege: run model-loading processes with minimal OS permissions and network access, ideally in sandboxed containers. 6. Monitor for exploitation: alert on unexpected outbound connections or process spawning during model load events. 7. Review CI/CD pipelines: any automated job that loads Trax models from external registries should be updated before next run.

CISO Take

Any team loading Trax model files through Hugging Face Transformers < 4.48.0 is exposed to remote code execution — including automated MLOps pipelines that pull from model hubs. Patch to 4.48.0 immediately and audit every model-loading path in your ML infrastructure. Treat untrusted model files the same way you treat untrusted executables.

What is the risk?

CVSS 8.8 with ~59% EPSS indicates meaningful real-world exploitation probability. While user interaction is required, this bar is trivially cleared via social engineering, compromised model repositories, or automated pipelines that pull community models without verification. The attack requires no privileges and executes under the context of the loading process — in MLOps environments this is often a privileged service account with broad data/infrastructure access. Impact is amplified because Transformers is one of the most widely deployed ML libraries globally.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Transformers	pip	—	No patch
161.8K OpenSSF 6.4 8.3K dependents Pushed 5d ago 40% patched ~92d to patch Full package profile →
Transformers	pip	>= 0, < 4.48.0	`4.48.0`
161.8K OpenSSF 6.4 8.3K dependents Pushed 5d ago 40% patched ~92d to patch Full package profile →

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

2.4%

chance of exploitation in 30 days

Higher than 82% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

7 steps

Patch immediately: upgrade transformers to >= 4.48.0 across all environments (training, inference, CI/CD).
Audit model provenance: inventory all locations where Trax model files are loaded and verify each source is trusted.
Restrict model loading: enforce allowlists for model sources; block loading from arbitrary URLs or unvetted user uploads.
Implement model signing: use cryptographic signatures (e.g., Sigstore/cosign) to verify model integrity before loading.
Apply least privilege: run model-loading processes with minimal OS permissions and network access, ideally in sandboxed containers.
Monitor for exploitation: alert on unexpected outbound connections or process spawning during model load events.
Review CI/CD pipelines: any automated job that loads Trax models from external registries should be updated before next run.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Model AML.T0010.001 - AI Software AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0058 - Publish Poisoned Models AML.T0078 - Drive-by Compromise

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.1.3 - AI risk assessment A.8.5 - AI system configuration management

NIST AI RMF

GOVERN 6.1 - Policies and procedures for AI risk across the supply chain MANAGE 2.2 - Mechanisms to sustain safe AI deployment

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-11394?

Any team loading Trax model files through Hugging Face Transformers < 4.48.0 is exposed to remote code execution — including automated MLOps pipelines that pull from model hubs. Patch to 4.48.0 immediately and audit every model-loading path in your ML infrastructure. Treat untrusted model files the same way you treat untrusted executables.

Is CVE-2024-11394 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-11394, increasing the risk of exploitation.

How to fix CVE-2024-11394?

1. Patch immediately: upgrade transformers to >= 4.48.0 across all environments (training, inference, CI/CD). 2. Audit model provenance: inventory all locations where Trax model files are loaded and verify each source is trusted. 3. Restrict model loading: enforce allowlists for model sources; block loading from arbitrary URLs or unvetted user uploads. 4. Implement model signing: use cryptographic signatures (e.g., Sigstore/cosign) to verify model integrity before loading. 5. Apply least privilege: run model-loading processes with minimal OS permissions and network access, ideally in sandboxed containers. 6. Monitor for exploitation: alert on unexpected outbound connections or process spawning during model load events. 7. Review CI/CD pipelines: any automated job that loads Trax models from external registries should be updated before next run.

What systems are affected by CVE-2024-11394?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps pipelines, model hub integrations, fine-tuning workflows, research/experimentation environments.

What is the CVSS score for CVE-2024-11394?

CVE-2024-11394 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 2.44%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingMLOps pipelinesmodel hub integrationsfine-tuning workflowsresearch/experimentation environments

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0010.003 Model

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0058 Publish Poisoned Models

AML.T0078 Drive-by Compromise

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.1.3, A.8.5

NIST AI RMF: GOVERN 6.1, MANAGE 2.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25012.

Exploitation Scenario

An adversary publishes a Trax model to HuggingFace Hub under a name resembling a popular legitimate model (typosquatting) or directly contributes a malicious model to an open-source project. A data scientist or automated MLOps pipeline calls `from_pretrained()` or equivalent Trax loading logic, triggering deserialization of the attacker-controlled payload. The embedded malicious code executes in the context of the loading process — typically granting the attacker access to training data, cloud credentials stored in environment variables, GPU cluster credentials, or the ability to backdoor subsequent model outputs. In enterprise environments, this frequently leads to lateral movement via stolen IAM credentials or cloud metadata service access.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary CWE-502 Deserialization of Untrusted Data

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.