### Vulnerability Key Information - **Title**: - Tencent FaceDetection-DSFD resnet Deserialization of Untrusted Data Remote Code Execution Vulnerability - **ID**: - ZDI-25-1183 - ZDI-CAN-27197 - **CVE ID**: - CVE-2025-13715 - **CVSS Score**: - 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) - **Affected Vendor**: - Tencent - **Affected Product**: - FaceDetection-DSFD - **Vulnerability Details**: - This vulnerability allows remote attackers to execute arbitrary code on affected Tencent FaceDetection-DSFD installations. Exploitation requires user interaction, meaning the target must access a malicious page or open a malicious file. The specific flaw resides in the resnet endpoint, where insufficient validation of user-supplied data leads to deserialization of untrusted data. Attackers can leverage this vulnerability to execute code in the root context. - **Additional Details**: - Tencent has released an update to fix this vulnerability. More information can be found at the following link: https://github.com/Tencent/FaceDetection-DSFD/commit/a941d089d8ae2df5292a904e79d88649cb58a440 - **Disclosure Timeline**: - 2025-05-22: Vulnerability reported to vendor - 2025-12-23: Public release of coordinated advisory - 2025-12-23: Advisory update - **Contributor**: - Peter Girnus (@gothburz) of Trend Zero Day Initiative