Critical Metadata Poisoning Vulnerability Found in AI/ML Python Libraries Used by Hugging Face

A critical security vulnerability affecting popular Python libraries used in AI and machine learning models has been discovered by security researchers at Palo Alto Networks' Unit 42. The flaw allows attackers to embed malicious code within model metadata that executes automatically when files are loaded, potentially compromising systems running models from Hugging Face and other repositories.

The affected libraries—Nvidia's NeMo, Salesforce's Uni2TS, and Apple's FlexTok—are widely used frameworks for building and deploying AI models. All three were developed through collaborations between major tech companies and academic institutions, with NeMo created by Nvidia, Uni2TS by Salesforce, and FlexTok by Apple and EPFL's Visual Intelligence and Learning Lab. These libraries have collectively seen millions of downloads and are integrated with hundreds of models available on Hugging Face.

The Core Vulnerability: Hydra's Instantiate Function

The root cause of these vulnerabilities lies in how these libraries use the hydra.utils.instantiate() function from Hydra, a configuration management library maintained by Meta. Hydra is commonly used in machine learning projects to dynamically instantiate Python objects from configuration files.

The instantiate() function is designed to create Python objects based on class names specified in configuration files. However, the function doesn't restrict instantiation to only classes—it accepts any callable, including built-in Python functions like eval() and os.system(). This flexibility, while intended for convenience, creates a dangerous attack vector when combined with untrusted configuration data.

In these three libraries, the instantiate() function is called directly on metadata loaded from model files without proper sanitization. An attacker can craft malicious metadata that specifies a dangerous callable as the _target_ parameter. When the library loads this metadata and calls instantiate(), it executes the attacker's code with the privileges of the application loading the model.

Attack Scenarios and Impact

The vulnerability enables several attack scenarios:

1. Remote Code Execution: Attackers can execute arbitrary code on systems that load poisoned models
2. Data Tampering: Malicious code could modify model outputs or training data
3. Supply Chain Attacks: Compromised models could spread through development and deployment pipelines

Unit 42 researcher Curtis Carmony noted that "there is ample opportunity for attackers to leverage them," pointing out that developers frequently create custom variations of popular models with fine-tunings and quantizations, often from unaffiliated researchers. Attackers could release a modified version of a popular model with claimed improvements while embedding malicious metadata.

Hugging Face's platform adds to the risk because metadata contents aren't as easily accessible as other files, and the platform doesn't flag files using its safetensors or NeMo formats as potentially unsafe. While these formats themselves are secure, the code that processes them creates a large attack surface.

Affected Libraries and Specific Vulnerabilities

NeMo (Nvidia)

NeMo is a PyTorch-based framework created by Nvidia in 2019 for building conversational AI models. The vulnerability affects NeMo's file formats:

• .nemo files: TAR archives containing model_config.yaml and .pt files
• .qnemo files: TAR archives containing model_config.yaml and .safetensors files

The metadata in these files is passed directly to hydra.utils.instantiate() without sanitization, allowing RCE when loading malicious files. Nvidia assigned CVE-2025-23304 to this high-severity bug and released a fix in NeMo version 2.3.2.

NeMo integrates with Hugging Face, and attackers could exploit this vulnerability through the same code path after downloading models. Unit 42 identified over 700 models on Hugging Face using NeMo's file format from various developers.

Uni2TS (Salesforce)

Uni2TS is a PyTorch library developed by Salesforce for time series analysis, used in their Morai foundation model. The library works exclusively with .safetensors files—Hugging Face's safe format designed to prevent code execution during loading.

However, the library extends PyTorchModelHubMixin, which provides a mechanism for registering coder functions. Uni2TS uses this to decode configuration arguments via hydra.utils.instantiate(), reintroducing the vulnerability despite using the safe file format.

Salesforce models using Uni2TS have hundreds of thousands of downloads on Hugging Face, and numerous user adaptations exist. Salesforce assigned CVE-2026-22584 and deployed a fix on July 31, 2025.

FlexTok (Apple and EPFL VILAB)

FlexTok, created by Apple and EPFL's Visual Intelligence and Learning Lab, is a framework for AI/ML models that process images. Like Uni2TS, it uses only safetensors files and extends PyTorchModelHubMixin to load configuration and metadata from .safetensors files.

After decoding metadata, FlexTok passes it to hydra.utils.instantiate(), triggering the same vulnerability. As of January 2026, only EPFL VILAB's published models were using the ml-flextok library, with tens of thousands of downloads total.

The maintainers fixed these issues by implementing YAML parsing for configurations and creating an allow list of classes permitted to call Hydra's instantiate() function. They also updated documentation to emphasize loading models only from trusted sources.

Meta's Response and Current Status

Meta has updated Hydra's documentation to warn that RCE is possible when using instantiate() with untrusted data. The documentation now urges users to implement a block-list mechanism that checks _target_ values against dangerous functions before execution.

However, as of the disclosure date, this block-list mechanism hasn't been included in an official Hydra release, leaving users to implement their own protections.

Mitigation and Best Practices

Organizations using these libraries should:

1. Update Immediately: Upgrade to patched versions—NeMo 2.3.2 or later, and the latest versions of Uni2TS and FlexTok
2. Verify Sources: Only load models from trusted, verified sources
3. Implement Safeguards: If using Hydra's instantiate() function, implement custom validation to block dangerous callables
4. Audit Dependencies: Review all Python libraries in your ML pipeline that use Hydra
5. Monitor for Updates: Watch for Hydra releases that include built-in protection mechanisms

Broader Implications for AI/ML Security

This vulnerability highlights a critical weakness in the AI/ML supply chain. The popularity of pre-trained models and the ease of sharing and adapting them through platforms like Hugging Face creates a broad attack surface.

The fact that three major tech companies independently made the same mistake suggests a systemic issue in how developers approach configuration management in ML frameworks. The convenience of dynamic object instantiation often outweighs security considerations in rapid development environments.

Additionally, the vulnerability demonstrates that using "safe" file formats like safetensors doesn't guarantee security if the processing code itself is vulnerable. The attack surface extends beyond file parsing to include all configuration and metadata handling.

Timeline and Disclosure

• July 2025: Salesforce proactively remediates the issue in Uni2TS
• July 31, 2025: Salesforce issues CVE-2026-22584
• January 13, 2026: Unit 42 discloses the vulnerabilities publicly
• Ongoing: Nvidia and other vendors release patches; Meta updates documentation

Palo Alto Networks' Unit 42 reported these vulnerabilities to the respective maintainers, who have since issued security warnings and fixes. No in-the-wild exploitation has been observed to date, but the potential for abuse remains significant given the widespread use of these libraries.

For organizations building or deploying AI models, this serves as a reminder to scrutinize not just the models themselves, but the entire software supply chain—including configuration libraries and their usage patterns.

Editor's Note: This article was updated to clarify that Meta maintains Hydra, and to reflect that Salesforce issued their CVE on July 31, 2025.