Security: CVE-2024-11392 in Hugging Face Transformers #96
Description
I've identified a security vulnerability in the Hugging Face Transformers library that affects this project. The vulnerability (CVE-2024-11392) is rated as high severity (CVSS 8.8) and could potentially allow remote code execution through malicious configuration files in the MobileViTV2 component.
The vulnerability specifically involves improper deserialization of untrusted data in configuration files, which could be exploited if a user processes a malicious file. This is particularly relevant for this project since it deals with document processing.
Proposed Solution:
Update the transformers dependency to version 4.48.0 or higher, which includes the security fix.
- For non-Mac systems: ^4.48.0
- For Mac systems: ~4.48.0
Reference:
- CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2024-11392
- Vulnerability Type: Deserialization of Untrusted Data
- CVSS Score: 8.8 (High)
- Affected Versions: < 4.48.0