Full Report
The open-source libraries were created by Salesforce, Nvidia, and Apple with a Swiss group Vulnerabilities in popular AI and ML Python libraries used in Hugging Face models with tens of millions of downloads allow remote attackers to hide malicious code in metadata. The code then executes automatically when a file containing the poisoned metadata is loaded.…
Analysis Summary
# Vulnerability: RCE via Poisoned Metadata in AI/ML Python Libraries (Hydra Instantiation)
## CVE Details
- CVE ID: CVE-2025-23304 (Nvidia NeMo), CVE-2026-22584 (Salesforce Uni2TS) (Note: CVE for FlexTok not explicitly mentioned in the provided text.)
- CVSS Score: High severity reported (Specific scores not provided in text).
- CWE: CWE-94 (Improper Control of Generation of Code ('Code Injection')) or CWE-20 (Improper Input Validation).
## Affected Systems
- Products: Nvidia NeMo, Salesforce Uni2TS, Apple/EPFL FlexTok. All rely on the Hydra configuration library.
- Versions: Prior to NeMo v2.3.2; Prior to Uni2TS fix (July 2025); FlexTok fixed by switching parsing method. Specific vulnerable version numbers for all libraries prior to fix are not exhaustively listed.
- Configurations: Systems loading model files (e.g., `.nemo`, `.qnemo`, `.safetensors`, or configuration files) whose metadata is processed by the vulnerable `hydra.utils.instantiate()` function.
## Vulnerability Description
The root cause lies in the use of the `hydra.utils.instantiate()` function within the affected libraries (NeMo, Uni2TS, FlexTok) to load configurations or metadata from model files. This function is designed to instantiate classes based on names provided in the configuration, but it also accepts any callable. Attackers can embed malicious code references within the model's metadata (which is often configured via YAML in NeMo files or read from `.safetensors` in others). By directing `instantiate()` to call dangerous built-in Python functions like `eval()` or `os.system()`, Remote Code Execution (RCE) is achieved when the compromised model file is loaded and its metadata is processed.
## Exploitation
- Status: Not exploited in the wild (as of article date), but PoC potential is high.
- Complexity: Low (Attacker only needs to create a modified model file with malicious metadata and get a developer to load it).
- Attack Vector: Network (Downloading a poisoned model file from a repository like Hugging Face).
## Impact
- Confidentiality: High (Potential execution of arbitrary system commands allows for data exfiltration).
- Integrity: High (Arbitrary code execution allows for modification or deletion of files/data).
- Availability: High (System compromise can lead to denial of service or resource disruption).
## Remediation
### Patches
- **Nvidia NeMo:** Fixed in version **2.3.2**.
- **Salesforce Uni2TS:** Fixed in release following **July 31, 2025**.
- **FlexTok:** Fixed by switching configuration parsing to use **YAML** and implementing an **allow list** of classes recognized by `instantiate()`.
### Workarounds
- **General:** Developers are urged to add a block-list mechanism to Hydra's `instantiate()` checks, comparing the `_target_` value against dangerous functions, although Meta has not yet released this mechanism.
- **Trust Models:** Only load models from trusted sources, especially given that Hugging Face does not flag files using formats like `safetensors` or NeMo as inherently unsafe if they contain poisoned metadata.
## Detection
- **Indicators of Compromise (IOCs):** Unusual execution flows or attempts by the ML pipeline/runtime environment to call functions like `eval()` or `os.system()` originating from configuration parsing routines.
- **Detection Methods and Tools:** Monitoring process creation during model loading or deserialization, focusing specifically on the Python environments running the AI/ML inference or training routines. Static analysis of dependency usage to ensure updated library versions are in use.
## References
- Nvidia Advisory: hxxps://nvidia.custhelp.com/app/answers/detail/a_id/5686
- Salesforce Advisory: hxxps://help.salesforce.com/s/articleView?id=005239354&type=1
- Unit 42 Report: hxxps://unit42.paloaltonetworks.com/rce-vulnerabilities-in-ai-python-libraries/