A set of security vulnerabilities in Python libraries used for AI/ML—NeMo, Uni2TS, and FlexTok—could allow attackers to inject malicious metadata that triggers remote code execution when these libraries are loaded.

The affected libraries come from Nvidia (NeMo), Salesforce (Uni2TS), and Apple/EPFL VILAB (FlexTok), with Hydra as the common configuration tool involved.

Nemo stores model metadata in TAR files containing model_config.yaml, and untrusted metadata loaded via Hydra’s instantiate() could trigger RCE or data tampering; Nvidia issued CVE-2025-23304 and a fix in NeMo 2.3.2.

As of December 2025, no real-world exploitation had been observed; Palo Alto Networks researchers identified the risks and notified vendors in April 2025 for mitigation prior to publication.

Security responses include proactive remediation by Salesforce in mid-2025, warnings from researchers, and ongoing updates to documentation and safeguards by project maintainers.

Mitigations include newer model formats like safetensors that limit serialization to weights and data, PyTorch/UX protections with allow lists, and Hydra updates adding warnings and block-list concepts, though deployment is not universal.

Meta updated Hydra documentation to warn that instantiate() can lead to RCE, but a block-list mechanism was not available in all Hydra releases at the time.

Hydra documentation now warns about potential RCE via instantiate and notes a block-list mechanism, though availability varies by release.

The article highlights the broader risk surface from complex dependencies in AI workflows and the need for proactive security practices in metadata handling to prevent RCE.

Preventative recommendations include loading models from trusted sources, staying current with security advisories, and maintaining robust security practices to mitigate potential exploitation.

FlexTok fixed the issue in mid-2025, addressing vulnerabilities in its codebase.

The broader risk surface extends beyond the three libraries to hundreds of Python libraries used by Hugging Face models, many relying on Hydra, underscoring the need for trusted sources and secure coding practices.