- Palo Alto identified serious vulnerabilities in AI/ML libraries NeMo, Uni2TS, and FlexTok
- These flaws could enable arbitrary code execution through malicious model metadata
- All vulnerabilities are expected to be patched by mid-2025; no exploitation has been reported as of December 2025
Researchers from Palo Alto Networks have uncovered vulnerabilities in several prominent Artificial Intelligence (AI) and Machine Learning (ML) tools that could potentially allow malicious actors to execute harmful code on targeted systems remotely.
In a security advisory, the team revealed that they discovered issues in three open-source Python libraries developed by Apple, Salesforce, and NVIDIA in April 2025.
The affected libraries include NeMo, a PyTorch-based framework for research; Uni2TS, a PyTorch library utilized by Salesforce’s Morai; and FlexTok, a Python framework that enables AI and ML models to process images. Collectively, these libraries have garnered over 10 million downloads on HuggingFace, a platform hosting open-source AI models and tools.
Bugs Resolved
Palo Alto explained that the vulnerabilities arise from the libraries using metadata to configure complex models and pipelines, where a shared third-party library instantiates classes based on this metadata.
“Vulnerable versions of these libraries execute the provided data as code, allowing an attacker to embed arbitrary code in model metadata, which executes automatically when the libraries load these modified models,” the advisory stated.
All three developers were notified in April 2025, and by the end of July, fixes were implemented. NVIDIA released CVE-2025-23304 with a high severity rating (7.8/10) and addressed it in NeMo 2.3.2. FlexTok updated its code in June 2025, while Salesforce issued CVE-2026-22584, rated critical (9.8/10), and resolved it in July 2025.
As of December 2025, Palo Alto reported no evidence of these vulnerabilities being exploited in the wild. The issues were identified using the company’s Prisma AIRS tool.