Vulnerabilities Discovered in AI/ML Libraries from Major Tech Players
Recent research by Palo Alto Networks has uncovered critical vulnerabilities in three open-source AI/ML Python libraries maintained by Apple, Salesforce, and NVIDIA. These vulnerabilities enable remote code execution (RCE) when a model file imbedded with malicious metadata is loaded, exposing a significant risk to users of these frameworks.
The affected libraries include NVIDIA’s NeMo, Salesforce’s Uni2TS, and Apple’s FlexTok. These libraries facilitate the development and deployment of AI models, with widespread use on platforms like HuggingFace, totaling tens of millions of downloads. The issue arises primarily from the libraries’ reliance on metadata for model configuration, where inappropriate handling can lead to arbitrary code execution. Malicious actors can exploit these vulnerabilities by embedding harmful code within the model metadata, which is then executed upon loading the model. As of December 2025, there have been no known real-world attacks utilizing these vulnerabilities, prompting Palo Alto Networks to alert the respective vendors for remediation prior to publication.
NVIDIA addressed this issue with CVE-2025-23304, releasing a patch in NeMo version 2.3.2. Salesforce followed suit, issuing CVE-2026-22584 after deploying a fix for Uni2TS, while Apple updated FlexTok to mitigate the identified risks. The primary exploit vectors involve the improper use of the hydra.utils.instantiate() function in these libraries, which inadvertently allows attackers to use built-in Python functions to execute code.
Why this matters: The vulnerabilities in these popular AI/ML libraries pose a significant real-world risk as they may allow attackers to manipulate widely used models, potentially leading to data breaches or service disruptions. Organizations must be vigilant in scrutinizing the sources and integrity of AI models they deploy.
Palo Alto Networks offers solutions like Prisma AIRS for identifying affected models and Cortex Cloud for vulnerability management, aiding organizations in reducing their risk exposure.
No specific Indicators of Compromise (IOCs) were provided in the article.
