### Key Vulnerability Information - **Title**: (0Day) Hugging Face Accelerate Deserialization of Untrusted Data Remote Code Execution Vulnerability - **Identifier**: - ZDI-25-1140 - ZDI-CAN-27985 - CVE-2025-14925 - **CVSS Score**: 7.8 - AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - **Affected Vendor**: Hugging Face - **Affected Product**: Accelerate - **Vulnerability Details**: - Remote attackers can execute arbitrary code on affected installations due to improper validation of user-supplied data, leading to deserialization of untrusted data. - Exploitation requires user interaction by visiting a malicious page or opening a malicious file. - Flaw exists in the parsing of checkpoints. - **Mitigation**: Restrict interaction with the product due to the nature of the vulnerability. - **Disclosure Timeline**: - 2025-09-03: Vulnerability reported to vendor. - 2025-12-18: Coordinated public release of advisory. - 2025-12-18: Advisory updated. - **Credit**: Discovered by Michael DePlante (@izobashi) of Trend Zero Day Initiative.