Remote code execution vulnerabilities in AI/ML libraries: A wake-up call for developers!
We've uncovered a critical issue in three popular open-source AI/ML Python libraries, developed by Apple, Salesforce, and NVIDIA. These libraries, when used with specific model files, can lead to remote code execution (RCE) attacks. Imagine, a simple model file with malicious metadata could potentially execute arbitrary code, putting systems at risk.
The affected libraries are:
- NeMo by NVIDIA: A versatile PyTorch-based framework for AI/ML model development.
- Uni2TS by Salesforce: A PyTorch library for time series analysis, used in Salesforce's Morai model.
- FlexTok by Apple and EPFL VILAB: A Python-based framework enabling image processing for AI/ML models.
These libraries are widely used, with millions of downloads on HuggingFace. The vulnerability lies in how these libraries handle metadata, allowing attackers to embed code that gets executed when the libraries load modified models.
As of December 2025, no malicious attacks using these vulnerabilities have been reported in the wild. Palo Alto Networks responsibly disclosed these findings to the affected vendors in April 2025, giving them time to address the issues before public disclosure.
The vendors' responses and actions:
- NVIDIA issued CVE-2025-23304, rated High severity, and released a fix in NeMo version 2.3.2.
- The FlexTok researchers updated their code in June 2025 to resolve the issues.
- Salesforce issued CVE-2026-22584, rated High severity, and deployed a fix on July 31, 2025.
Palo Alto Networks' Prisma AIRS was instrumental in identifying these vulnerabilities and extracting the malicious payloads.
For Palo Alto Networks customers, additional protection is offered through products like Cortex Cloud's Vulnerability Management and the Unit 42 AI Security Assessment. These tools help identify and manage vulnerabilities, and provide remediation tasks for container images.
The security issues highlighted here are a stark reminder of the potential risks in AI/ML model formats. While newer formats aim to address security concerns, they don't make applications and libraries completely immune to traditional exploits. Security researchers at JFrog have demonstrated this by identifying vulnerabilities in applications using these 'safe' formats, employing techniques like XSS and path traversal.
The technical analysis delves into how researchers identified vulnerabilities in these libraries. It's a fascinating insight into the world of AI/ML security, and a must-read for developers and security enthusiasts alike.
Hydra, a Python library maintained by Meta, was found to be a common tool used by these libraries to serialize model state and configuration information. The vulnerabilities stem from how Hydra's instantiate() function is used, allowing for arbitrary code execution.
Since these issues were identified, updates have been made to Hydra, adding a warning about RCE risks and a block-list mechanism. However, these measures can be easily bypassed, highlighting the need for more robust security practices.
The NeMo library, developed by NVIDIA, has been updated to address this issue. A safeinstantiate function has been added to validate target values before execution, and a new istarget_allowed function checks against an allow list of prefixes.
Salesforce's Uni2TS library, used in their Morai model, has also implemented an allow list and a strict validation check to prevent the execution of unauthorized modules.
Apple and EPFL VILAB, developers of the ml-flextok library, have updated their code to use YAML for parsing configurations and added an allow list of classes for Hydra's instantiate() function. They've also updated their documentation to warn about executing strings as code and the importance of loading models from trusted sources.
While Palo Alto Networks hasn't identified any attacks exploiting these vulnerabilities in the wild, the potential for malicious activity is high. Developers often create variations of state-of-the-art models, and attackers could easily create modified models with malicious metadata.
Before these findings, there was no indication that these libraries could be insecure, and HuggingFace doesn't currently flag files using the safetensors or NeMo formats as potentially unsafe. This highlights the need for better awareness and security practices in the AI/ML community.
With the latest advances in AI/ML often requiring code, there's a proliferation of supporting libraries, creating a large attack surface. As of October 2025, over a hundred different Python libraries were identified, with almost 50 using Hydra in some way.
Palo Alto Networks' products and services provide an additional layer of protection for customers, helping to identify and manage vulnerabilities and misconfigurations. The Unit 42 AI Security Assessment is particularly useful for organizations looking to reduce AI adoption risks and strengthen AI governance.
If you suspect your systems have been compromised or have an urgent matter, reach out to the Unit 42 Incident Response team. Palo Alto Networks has also shared these findings with fellow Cyber Threat Alliance (CTA) members, working together to disrupt malicious cyber actors.
Stay informed and stay secure! Keep an eye on the latest developments in AI/ML security, and don't hesitate to reach out to experts for guidance.
