Remote code execution vulnerabilities in AI/ML libraries: A wake-up call for developers and users.
Imagine this: You're a developer, excited about the latest AI/ML advancements, and you stumble upon a popular library that promises to simplify your work. But little did you know, it could be a potential security nightmare!
We've uncovered vulnerabilities in three widely-used open-source AI/ML Python libraries, developed by tech giants Apple, Salesforce, and NVIDIA. These libraries, when loaded with malicious model files, can execute arbitrary code remotely, putting your systems at risk.
But here's where it gets controversial...
These libraries, NeMo, Uni2TS, and FlexTok, are integral parts of popular models on HuggingFace, with millions of downloads. The issue? They rely on metadata to configure complex models, and in vulnerable versions, this metadata can be manipulated to execute code.
And this is the part most people miss...
The libraries simply execute the provided data as code, allowing attackers to embed malicious instructions. This means that even if you're cautious about the models you use, an attacker could modify a popular model, add their code, and trick you into running it.
As of our findings in December 2025, there's no evidence of these vulnerabilities being exploited in the wild. However, the potential for misuse is significant, especially with the popularity of these libraries.
So, what's being done?
- NVIDIA has issued a CVE (CVE-2025-23304), rated High severity, and released a fix in NeMo version 2.3.2.
- The FlexTok researchers updated their code in June 2025.
- Salesforce issued CVE-2026-22584, also rated High severity, and deployed a fix in July 2025.
These vulnerabilities were discovered by Prisma AIRS, a tool that can identify and extract payloads from vulnerable models.
But wait, there's more...
The vulnerabilities stem from the use of metadata and the way these libraries handle it. Specifically, the hydra.utils.instantiate() function, designed to create instances of interfaces, can be exploited to execute arbitrary code.
NeMo, for example...
NVIDIA's NeMo library, developed since 2019, has a vulnerability that allows remote code execution when loading .nemo model files. The issue lies in how NeMo handles the modelconfig.yaml file, which stores model metadata. An attacker can create a malicious modelconfig.yaml file, and when loaded, it triggers the execution of their code.
Uni2TS and FlexTok...
Uni2TS, used by Salesforce's Morai model, and FlexTok, developed by Apple and EPFL VILAB, both have vulnerabilities related to how they decode and process configuration data. By adding malicious payloads to the config.json file or the .safetensors file, an attacker can achieve remote code execution.
So, what's the solution?
The developers have acknowledged these issues and are working on fixes. NVIDIA has added a safe_instantiate function to validate target values before execution. Salesforce has implemented an allow list and strict validation checks. Apple and EPFL VILAB have updated their code to use YAML for parsing configurations and added an allow list of classes.
But here's the kicker...
These vulnerabilities highlight a broader issue: the security risks associated with AI/ML model formats and libraries. With the rapid advancement of AI, there's a proliferation of supporting libraries, and the attack surface is vast. Developers and users must be cautious and ensure they're using trusted sources and keeping their libraries up-to-date.
So, what's next?
Palo Alto Networks has shared these findings with the Cyber Threat Alliance, and their products, like Prisma AIRS and Cortex Cloud's Vulnerability Management, can help protect against these threats. But the onus is also on developers and users to stay vigilant and keep their systems secure.
Final Thoughts:
These vulnerabilities serve as a stark reminder of the potential risks in the AI/ML space. As we embrace the power of AI, we must also prioritize security. It's a delicate balance, but one that's crucial for the safe and responsible development and use of AI technologies.
So, what's your take on this? Do you think these vulnerabilities are a cause for concern, or are they just a blip on the radar of AI/ML development? We'd love to hear your thoughts in the comments!
