Tencent Hunyuan3D-1 Untrusted Data Deserialization RCE (CVE-2025-13713)

### Critical Vulnerability Information - **CVE ID:** CVE-2025-13713 - **CVSS Score:** 7.8, AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - **Affected Vendor:** Tencent - **Affected Product:** Hunyuan3D-1 - **Vulnerability Type:** Untrusted Data Remote Code Execution - **Vulnerability Details:** - The `load_pretrained` function contains a flaw due to improper validation of user-supplied data, resulting in deserialization of untrusted data. - An attacker could exploit this vulnerability to execute arbitrary code with root privileges. - **Additional Details:** - Tencent has released an update to resolve this issue. - For more information: https://github.com/Tencent-Hunyuan/Hunyuan3D-1/commit/454284503670312d4e06f6251c9be2f9f6d0fae7 - **Disclosure Timeline:** - Vulnerability reported to vendor: 2025-05-22 - Coordinated public release of advisory: 2025-12-01 - Advisory Updated: 2025-12-01 - **Credit:** Peter Girnus (@gothburz) of Trend Zero Day Initiative

Goal Reached Thanks to every supporter — we hit 100%!

Tencent Hunyuan3D-1 Untrusted Data Deserialization RCE (CVE-2025-13713)