Remote Code Execution With Modern AI/ML Formats and Libraries (2026)

Remote Code Execution With Modern AI/ML Formats and Libraries

Executive Summary:

We identified vulnerabilities in three open-source artificial intelligence/machine learning (AI/ML) Python libraries published by Apple, Salesforce, and NVIDIA on their GitHub repositories. Vulnerable versions of these libraries allow for remote code execution (RCE) when a model file with malicious metadata is loaded.

Libraries Affected:

  • NeMo (https://github.com/NVIDIA-NeMo/NeMo/tree/main): A PyTorch-based framework created for research purposes that is designed for the development of diverse AI/ML models and complex systems created by NVIDIA.
  • Uni2TS (https://github.com/SalesforceAIResearch/uni2ts): A PyTorch library created for research purposes that is used by Salesforce's Morai, a foundation model for time series analysis that forecasts trends from vast datasets.
  • FlexTok (https://github.com/apple/ml-flextok): A Python-based framework created for research purposes that enables AI/ML models to process images by handling the encoding and decoding functions, created by researchers at Apple and the Swiss Federal Institute of Technology’s Visual Intelligence and Learning Lab.

These libraries are used in popular models on HuggingFace with tens of millions of downloads in total.

See Also
London's Most Luxurious Gyms: From Oxygen Chambers to £10k MembershipsMicrobes in Your Shower Drain: The Next Big Scientific Discovery? | Unseen Heroes in Your HomeMotorola Razr Fold: Unveiling the Ultimate Competitor to Samsung Galaxy Z FoldGalaxy S27 Ultra Camera Rumors: Unlocking the Ultimate Photography Experience

Vulnerabilities:

The vulnerabilities stem from libraries using metadata to configure complex models and pipelines, where a shared third-party library instantiates classes using this metadata. Vulnerable versions of these libraries simply execute the provided data as code. This allows an attacker to embed arbitrary code in model metadata, which would automatically execute when vulnerable libraries load these modified models.

Mitigation and Protection:

Palo Alto Networks notified all affected vendors in April 2025 to ensure they had a chance to implement mitigations or resolve the issues before publication.

  • NVIDIA issued CVE-2025-23304 (https://nvidia.custhelp.com/app/answers/detail/a_id/5686), rated High severity, and released a fix in NeMo version 2.3.2.
  • The researchers who created FlexTok updated their code in June 2025 to resolve the issues.
  • Salesforce issued CVE-2026-22584 (https://help.salesforce.com/s/articleView?id=005239354&type=1), rated High severity, and deployed a fix on July 31, 2025.

Prisma AIRS:

These vulnerabilities were discovered by Prisma AIRS (https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security), which is able to identify models leveraging these vulnerabilities and extract their payloads.

Palo Alto Networks Protection:

Additionally, Palo Alto Networks customers are better protected from the threats discussed above through the following products and services:

  • Cortex Cloud’s Vulnerability Management (https://www.paloaltonetworks.com/cortex/cloud/vulnerability-management): Identifies and manages base images for cloud virtual machine and containerized environments, allowing for identification and alerting of vulnerabilities and misconfigurations, and providing remediation tasks for identified base-level container images. The Cortex Cloud Agent can also detect the runtime operations discussed within this article.
  • Unit 42 AI Security Assessment (https://www.paloaltonetworks.com/resources/datasheets/unit-42-ai-security-assessment): Helps organizations reduce AI adoption risk, secure AI innovation, and strengthen AI governance.

Contact for Urgent Matters:

If you think you may have been compromised or have an urgent matter, contact the Unit 42 Incident Response team (https://start.paloaltonetworks.com/contact-unit42.html) or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 000 800 050 45107
  • South Korea: +82.080.467.8774

Palo Alto Networks and Cyber Threat Alliance (CTA):

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance (https://www.cyberthreatalliance.org/).

Additional Resources:

  • Hydra documentation (https://hydra.cc/)
  • NeMo source code (https://github.com/NVIDIA/NeMo/tree/main)
  • uni2ts source code (https://github.com/SalesforceAIResearch/uni2ts)
  • ml-flextok source code (https://github.com/apple/ml-flextok)
  • Libraries of NeMo models (https://huggingface.co/models?library=nemo)
Remote Code Execution With Modern AI/ML Formats and Libraries (2026)
Top Articles
Researchers discover protein protecting brain from aging damage
NASA's Curiosity Rover: Unveiling Mars' Geological Secrets in Monte Grande Hollow
Rand Paul Slams Trump's Venezuela Oil Tanker Seizure: Prelude to War?
Latest Posts
Top 8 Off-Season European Destinations for Mild Winter Adventures
Remembering Rob Reiner: A Tribute to His Iconic Films & Legacy
Recommended Articles
Article information

Author: Ms. Lucile Johns

Last Updated:

Views: 6399

Rating: 4 / 5 (41 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Ms. Lucile Johns

Birthday: 1999-11-16

Address: Suite 237 56046 Walsh Coves, West Enid, VT 46557

Phone: +59115435987187

Job: Education Supervisor

Hobby: Genealogy, Stone skipping, Skydiving, Nordic skating, Couponing, Coloring, Gardening

Introduction: My name is Ms. Lucile Johns, I am a successful, friendly, friendly, homely, adventurous, handsome, delightful person who loves writing and wants to share my knowledge and understanding with you.