Remote Code Execution With Modern AI/ML Formats and Libraries
Executive Summary:
We identified vulnerabilities in three open-source artificial intelligence/machine learning (AI/ML) Python libraries published by Apple, Salesforce, and NVIDIA on their GitHub repositories. Vulnerable versions of these libraries allow for remote code execution (RCE) when a model file with malicious metadata is loaded.
Key Findings:
- NeMo: A PyTorch-based framework created for research purposes by NVIDIA, which is designed for the development of diverse AI/ML models and complex systems.
- Uni2TS: A PyTorch library created for research purposes by Salesforce, used by their Morai foundation model for time series analysis.
- FlexTok: A Python-based framework created for research purposes by Apple and EPFL VILAB, enabling AI/ML models to process images.
These libraries are used in popular models on HuggingFace with tens of millions of downloads in total. The vulnerabilities stem from libraries using metadata to configure complex models and pipelines, where a shared third-party library instantiates classes using this metadata. Vulnerable versions of these libraries simply execute the provided data as code, allowing an attacker to embed arbitrary code in model metadata, which would automatically execute when vulnerable libraries load these modified models.
Mitigation and Protection:
- Palo Alto Networks notified all affected vendors in April 2025 to ensure they had a chance to implement mitigations or resolve the issues before publication.
- NVIDIA issued CVE-2025-23304, rated High severity, and released a fix in NeMo version 2.3.2.
- The researchers who created FlexTok updated their code in June 2025 to resolve the issues.
- Salesforce issued CVE-2026-22584, rated High severity, and deployed a fix on July 31, 2025.
Prisma AIRS: Prisma AIRS can identify models leveraging these vulnerabilities and extract their payloads.
Cortex Cloud’s Vulnerability Management: Identifies and manages base images for cloud virtual machine and containerized environments, allowing for identification and alerting of vulnerabilities and misconfigurations.
Unit 42 AI Security Assessment: Helps organizations reduce AI adoption risk, secure AI innovation, and strengthen AI governance.
Disclaimer: Palo Alto Networks has not identified any model files leveraging these vulnerabilities for attacks in the wild, but there is ample opportunity for attackers to leverage them.
