Remote Code Execution With Modern AI/ML Formats and Libraries
Executive Summary:
We identified vulnerabilities in three open-source artificial intelligence/machine learning (AI/ML) Python libraries published by Apple, Salesforce, and NVIDIA on their GitHub repositories. Vulnerable versions of these libraries allow for remote code execution (RCE) when a model file with malicious metadata is loaded.
Key Findings:
- NeMo: A PyTorch-based framework created for research purposes designed for the development of diverse AI/ML models and complex systems created by NVIDIA.
- Uni2TS: A PyTorch library created for research purposes used by Salesforce's Morai, a foundation model for time series analysis that forecasts trends from vast datasets.
- FlexTok: A Python-based framework created for research purposes that enables AI/ML models to process images by handling the encoding and decoding functions, created by researchers at Apple and the Swiss Federal Institute of Technology’s Visual Intelligence and Learning Lab.
These libraries are used in popular models on HuggingFace with tens of millions of downloads in total.
Vulnerabilities:
The vulnerabilities stem from libraries using metadata to configure complex models and pipelines, where a shared third-party library instantiates classes using this metadata. Vulnerable versions of these libraries simply execute the provided data as code. This allows an attacker to embed arbitrary code in model metadata, which would automatically execute when vulnerable libraries load these modified models.
Mitigations:
As of December 2025, we have found no malicious examples using these vulnerabilities in the wild. Palo Alto Networks notified all affected vendors in April 2025 to ensure they had a chance to implement mitigations or resolve the issues before publication.
- NVIDIA: Issued CVE-2025-23304, rated High severity, and released a fix in NeMo version 2.3.2.
- FlexTok: The researchers who created FlexTok updated their code in June 2025 to resolve the issues.
- Salesforce: Issued CVE-2026-22584, rated High severity, and deployed a fix on July 31, 2025.
Detection and Protection:
These vulnerabilities were discovered by Prisma AIRS, which is able to identify models leveraging these vulnerabilities and extract their payloads.
Palo Alto Networks customers are better protected from the threats discussed above through the following products and services:
- Cortex Cloud’s Vulnerability Management: Identifies and manages base images for cloud virtual machine and containerized environments.
- Unit 42 AI Security Assessment: Helps organizations reduce AI adoption risk, secure AI innovation, and strengthen AI governance.
Call to Action:
If you think you may have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.
Related Topics:
- Python
- LLMs
- Machine Learning
AI/ML Model Formats:
AI/ML training and inference pipelines depend on saving complex internal states, such as learned weights and architecture definitions. These internal states are saved as model artifacts, and the artifacts must be shared between producers and consumers. Libraries provide built-in mechanisms to serialize these artifacts.
Security Issues in New Model Formats:
Newer formats have been developed to address the security issues of these pickle-based formats. These “safe” formats largely achieve this by only supporting the serialization of model weights or by representing pipelines as data instead of code, using formats like JSON.
Technical Analysis:
While newer formats have removed the ability to store model state and configurations as code, researchers still have use cases for serializing that information. Because these libraries are large and the configurations of their classes can be complex, many libraries use third-party tools to accomplish this.
Hydra:
Hydra is a Python library maintained by Meta that is a tool commonly used to serialize model state and configuration information.
Vulnerabilities in Hydra:
We identified three open-source AI/ML Python libraries used by models on HuggingFace that leverage Hydra to load these configurations from model metadata in a way that allows for arbitrary code execution.
NeMo:
NVIDIA has been developing the NeMo library since 2019, as a “scalable and cloud-native generative AI framework.” NeMo uses its own file formats with the .nemo and .qnemo file extensions, which are simply TAR files containing a model_config.yaml file that stores model metadata along with a .pt file or a .safetensors file, respectively.
Uni2TS:
In 2024, Salesforce’s AI research team published an article titled Unified Training of Universal Time Series Transformers, which introduced a set of models that were published on HuggingFace. This research and the use of these models depend on uni2TS, an open-source Python library that accompanied the Salesforce article.
FlexTok:
Early in 2025, Apple and the Swiss Federal Institute of Technology’s Visual Intelligence and Learning Lab (EPFL VILAB) published research that introduced a supporting Python library called ml-flextok.
