From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. **Vulnerability Name**: (0Day) Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability 2. **Vulnerability ID**: ZDI-24-1513, ZDI-CAN-24322 3. **CVE ID**: CVE-2024-11392 4. **CVSS Score**: 7.5, AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 5. **Affected Vendor**: Hugging Face 6. **Affected Product**: Transformers 7. **Vulnerability Details**: - Remote attackers can exploit this vulnerability to execute arbitrary code on affected Hugging Face Transformers installations. - User interaction is required; the target must access a malicious page or open a malicious file. - The issue lies in the handling of configuration files, where insufficient validation of user-supplied data leads to deserialization of untrusted data. Attackers can leverage this to execute code within the current user context. 8. **Additional Details**: - August 7, 2024: ZDI submitted the report to a third-party bug bounty program. - August 7, 2024: The bug bounty program rejected the report as it was outside their scope. - August 19, 2024: The vendor suggested submitting the report to another bug bounty platform. - August 20, 2024: ZDI resubmitted the report to the recommended platform. - October 14, 2024: The vendor rejected the vulnerability report. - November 6, 2024: ZDI notified the vendor of plans to publish a 0-day advisory. 9. **Mitigation**: Due to the nature of the vulnerability, the only mitigation strategy is to limit interaction with the application. 10. **Disclosure Timeline**: - August 7, 2024 – Vulnerability report submitted to vendor. - November 19, 2024 – Coordinated public vulnerability advisory released. - November 19, 2024 – Advisory updated. 11. **Credit**: The_Kernel_Panic