Popular Python AI libraries for Hugging Face exposed to poisoned metadata

TL;DR

Researchers found vulnerabilities in three widely used Python AI/ML libraries—NeMo, Uni2TS and FlexTok—that let malicious metadata trigger remote code execution when models are loaded. Palo Alto Networks' Unit 42 reported the issues, maintainers have pushed fixes and some CVEs, and no active exploitation has been observed in the wild so far.

What happened

Palo Alto Networks' Unit 42 disclosed flaws in three open-source Python libraries used with Hugging Face models — NeMo (Nvidia), Uni2TS (Salesforce) and FlexTok (Apple with EPFL VILAB). The libraries pass model metadata to Hydra's hydra.utils.instantiate() function, which accepts arbitrary callables, enabling an attacker to embed malicious metadata that causes remote code execution when a poisoned file is loaded. Unit 42 warned the attack surface is large because Hugging Face hosts models that rely on more than 100 Python libraries, nearly 50 of which use Hydra. The maintainers issued fixes and warnings: Nvidia released a NeMo patch (tracked as CVE-2025-23304), Salesforce published CVE-2026-22584 and deployed a fix, and Apple/EPFL updated FlexTok to parse configurations with YAML and apply an allow list. Meta updated Hydra documentation to warn about instantiate() but a block-list mechanism has not been shipped in a Hydra release, according to Unit 42.

Why it matters

• Malicious actors can hide executable payloads in model metadata, which may run automatically when a model file is loaded.
• Hugging Face models rely on a large ecosystem of third-party libraries, expanding potential attack vectors across many published models.
• Some file formats and metadata fields are not surfaced or flagged as unsafe by Hugging Face tooling, increasing risk to users who download models.
• Patches and documentation changes are available, but centralized protections (e.g., a Hydra release with blocking) were not yet provided at the time of the report.

Key facts

• Affected libraries: NeMo (Nvidia), Uni2TS (Salesforce) and FlexTok (Apple with EPFL VILAB).
• Root cause: use of hydra.utils.instantiate() to load configuration data from model metadata, which can call arbitrary callables.
• Unit 42 discovered the vulnerabilities and notified maintainers; no in-the-wild exploitation has been observed to date.
• NeMo was assigned CVE-2025-23304 and patched in NeMo version 2.3.2.
• Salesforce issued CVE-2026-22584 and deployed a fix for Uni2TS (reported as issued on July 31 in the source).
• Apple and EPFL VILAB mitigated the FlexTok issue by switching to YAML parsing and adding an allow list of classes for instantiate().
• Meta updated Hydra documentation to warn users that instantiate() can enable RCE and recommended comparing _target_ values against dangerous functions; a built-in block-list mechanism had not been released in Hydra at the time of the report.
• More than 100 different Python libraries are used by models on Hugging Face, and almost 50 of them use Hydra according to Unit 42.
• Unit 42 noted there are over 700 models on Hugging Face provided in NeMo format; FlexTok models from EPFL VILAB have tens of thousands of downloads, and Salesforce models have hundreds of thousands of downloads.

What to watch next

• Whether Meta releases a Hydra version that includes an official block-list or safer instantiate() behavior (not confirmed in the source).
• Any reports of active exploitation of these metadata-based RCE vectors in the wild (not confirmed in the source).
• Responses or additional mitigations from Hugging Face around metadata visibility and flagging for safetensors and NeMo formats — the Register received only a Salesforce response at the time of publication (not confirmed in the source).

Quick glossary

• Hydra: A Python configuration management library often used in machine learning projects to compose and instantiate configuration-defined objects.
• instantiate(): A Hydra utility that constructs objects or calls callables described in configuration data; if given arbitrary callable names it may invoke unintended code.
• Remote code execution (RCE): A class of vulnerability that allows an attacker to run arbitrary code on a target system from a remote location.
• safetensors: A file format designed for storing tensor data safely, intended to avoid arbitrary code execution risks associated with pickle-like formats.
• Metadata: Descriptive data about a model or file—such as configuration parameters—that can be stored alongside model weights and read by loading code.

Reader FAQ

Have attackers used these vulnerabilities in the wild?
Unit 42 reported no evidence of in-the-wild exploitation to date.

Which specific libraries were affected?
NeMo (Nvidia), Uni2TS (Salesforce) and FlexTok (Apple with EPFL VILAB) were identified as vulnerable.

Have fixes been released?
Yes. Nvidia patched NeMo (tracked as CVE-2025-23304), Salesforce issued CVE-2026-22584 and deployed a fix, and Apple/EPFL updated FlexTok; Meta updated Hydra documentation but had not shipped a block-list feature in a release.

Did Hugging Face respond to the report?
The Register contacted Hugging Face and several maintainers and received only a response from Salesforce; further responses were not reported in the source.

PATCHES Popular Python libraries used in Hugging Face models subject to poisoned metadata attack The open-source libraries were created by Salesforce, Nvidia, and Apple with a Swiss group Jessica Lyons…

Sources

• Popular Python libraries used in Hugging Face models subject to poisoned metadata attack

Related posts

• Anthropic previews Claude Cowork — an AI assistant for automating office work
• Anthropic reorganizes C-suite to grow its internal Labs incubator
• Senate passes a bill that would let nonconsensual deepfake victims sue