Remote Code Execution With Modern AI/ML Formats and Libraries
Executive Summary
We identified vulnerabilities in three open-source artificial intelligence/machine learning (AI/ML) Python libraries published by Apple, Salesforce and NVIDIA on their GitHub repositories. Vulnerable versions of these libraries allow for remote code execution (RCE) when a model file with malicious metadata is loaded.
Specifically, these libraries are:
- NeMo (https://github.com/NVIDIA-NeMo/NeMo/tree/main) : A PyTorch-based framework created for research purposes that is designed for the development of diverse AI/ML models and complex systems created by NVIDIA
- Uni2TS (https://github.com/SalesforceAIResearch/uni2ts) : A PyTorch library created for research purposes that is used by Salesforce's Morai, a foundation model for time series analysis that forecasts trends from vast datasets
- FlexTok (https://github.com/apple/ml-flextok) : A Python-based framework created for research purposes that enables AI/ML models to process images by handling the encoding and decoding functions, created by researchers at Apple and the Swiss Federal Institute of Technology’s Visual Intelligence and Learning Lab
These libraries are used in popular models on HuggingFace with tens of millions of downloads in total.
The vulnerabilities stem from libraries using metadata to configure complex models and pipelines, where a shared third-party library instantiates classes using this metadata. Vulnerable versions of these libraries simply execute the provided data as code. This allows an attacker to embed arbitrary code in model metadata, which would automatically execute when vulnerable libraries load these modified models.
As of December 2025, we have found no malicious examples using these vulnerabilities in the wild. Palo Alto Networks notified all affected vendors in April 2025 to ensure they had a chance to implement mitigations or resolve the issues before publication.
- NVIDIA issued CVE-2025-23304 (https://nvidia.custhelp.com/app/answers/detail/a_id/5686) , rated High severity, and released a fix in NeMo version 2.3.2
- The researchers who created FlexTok updated their code in June 2025 to resolve the issues
- Salesforce issued CVE-2026-22584 (https://help.salesforce.com/s/articleView?id=005239354&type=1) , rated High severity, and deployed a fix on July 31, 2025
These vulnerabilities were discovered by Prisma AIRS (https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security) , which is able to identify models leveraging these vulnerabilities and extract their payloads.
Additionally, Palo Alto Networks customers are better protected from the threats discussed above through the following products and services:
- Cortex Cloud’s Vulnerability Management (https://www.paloaltonetworks.com/cortex/cloud/vulnerability-management)
- The Unit 42 AI Security Assessment (https://www.paloaltonetworks.com/resources/datasheets/unit-42-ai-security-assessment) can help organizations reduce AI adoption risk, secure AI innovation and strengthen AI governance.
- If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team (https://start.paloaltonetworks.com/contact-unit42.html) .
Related Unit 42 Topics Python (https://unit42.paloaltonetworks.com/tag/python/) , LLMs (https://unit42.paloaltonetworks.com/tag/llm/) , Machine Learning (https://unit42.paloaltonetworks.com/tag/machine-learning/)
