Key Vulnerability Information Title: (0Day) Hugging Face Accelerate Deserialization of Untrusted Data Remote Code Execution Vulnerability Identifier: - ZDI-25-1140 - ZDI-CAN-27985 - CVE-2025-14925 CVSS Score: 7.8 - AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Affected Vendor: Hugging Face Affected Product: Accelerate Vulnerability Details: - Remote attackers can execute arbitrary code on affected installations due to improper validation of user-supplied data, leading to deserialization of untrusted data. - Exploitation requires user interaction by visiting a malicious page or opening a malicious file. - Flaw exists in the parsing of checkpoints. Mitigation: Restrict interaction with the product due to the nature of the vulnerability. Disclosure Timeline: - 2025-09-03: Vulnerability reported to vendor. - 2025-12-18: Coordinated public release of advisory. - 2025-12-18: Advisory updated. Credit: Discovered by Michael DePlante (@izobashi) of Trend Zero Day Initiative.