惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
量子位
M
MIT News - Artificial intelligence
Y
Y Combinator Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Google DeepMind News
Google DeepMind News
Hugging Face - Blog
Hugging Face - Blog
博客园_首页
雷峰网
雷峰网
I
InfoQ
罗磊的独立博客
博客园 - 聂微东
酷 壳 – CoolShell
酷 壳 – CoolShell
大猫的无限游戏
大猫的无限游戏
D
Docker
H
Hackread – Cybersecurity News, Data Breaches, AI and More
腾讯CDC
博客园 - 三生石上(FineUI控件)
The GitHub Blog
The GitHub Blog
K
Kaspersky official blog
P
Privacy & Cybersecurity Law Blog
S
SegmentFault 最新的问题
T
Threat Research - Cisco Blogs
H
Help Net Security
小众软件
小众软件
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
C
CERT Recently Published Vulnerability Notes
WordPress大学
WordPress大学
T
Tenable Blog
T
The Blog of Author Tim Ferriss
C
Cisco Blogs
Simon Willison's Weblog
Simon Willison's Weblog
博客园 - Franky
A
Arctic Wolf
T
Threatpost
Scott Helme
Scott Helme
C
Cybersecurity and Infrastructure Security Agency CISA
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
The Exploit Database - CXSecurity.com
G
GRAHAM CLULEY
Security Latest
Security Latest
Spread Privacy
Spread Privacy
L
LINUX DO - 热门话题
V
Vulnerabilities – Threatpost
P
Privacy International News Feed
S
Schneier on Security
Latest news
Latest news
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
C
Cyber Attacks, Cyber Crime and Cyber Security
C
CXSECURITY Database RSS Feed - CXSecurity.com

The Register - Security: Patches

Cisco SD-WAN make-me-root bug under attack Ivanti tells Sentry customers to patch now as critical bugs hit 10.0 and 9.9 AI is making Patch Tuesday (kinda) fun again Anthropic to release Mythos-class models to the public Clear your calendar, Drupal user: You have a critically urgent patch to install Welcome to the vulnpocalypse, as vendors use AI to find bugs and patches multiply like rabbits Doozy of a Patch Tuesday includes 30 critical Microsoft CVEs Critical cPanel, WHM flaw probs exploited as 0-day, pros say Microsoft patch fell short. New Windows flaw exploited More Cisco SD-WAN bugs battered in attacks Critical Fortinet sandbox bugs allow auth bypass and RCE Ancient Excel bug comes out of retirement for active attacks Microsoft's massive Patch Tuesday: It's raining bugs Ransomware scum, other crims exploit 4 old Microsoft bugs Attackers exploited the FortiClient EMS bug as a 0-day Citrix NetScaler bug may be multiple flaws in one Ransomware crims abused Cisco 0-day weeks before disclosure Google rushes Chrome update to fix zero-days under attack CISA warns max-severity n8n bug is being exploited in the wild Cisco warns of two more SD-WAN bugs under active attack LexisNexis Legal & Professional confirms data breach Five Eyes warn: Patch your Cisco SD-WAN or risk root takeover Patch these 4 critical, make-me-root SolarWinds bugs ASAP Attacker gets into France's DB listing all bank accounts CISA gives feds 3 days to patch actively exploited Dell bug CISA gives feds 3 days to patch actively exploited Dell bug Google fixes exploited Chrome CSS zero-day Critical Microsoft bug from 2024 under exploitation Apple patches decade-old iOS zero-day exploited in the wild Microsoft's Valentine's gift to admins: 6 zero-day fixes Microsoft's Valentine's gift to admins: 6 zero-day fixes Critical SolarWinds Web Help Desk bug under attack Critical React Native Metro dev server bug under attack Critical React Native Metro dev server bug under attack OpenClaw patches one-click RCE as security Whac-A-Mole continues Ivanti's January bad luck continues as 0-days hit customers Critical VMware vCenter Server bug under attack Critical VMware vCenter Server bug under attack FortiGate SSO bug still exploitable despite December patch Ancient telnet bug happily hands out root to attackers Cisco plugs up Unified Comms zero-day under active exploit Cloudflare whacks WAF bypass bug that opened side door Cloudflare whacks WAF bypass bug that opened side door Anthropic quietly fixed flaws in its Git MCP server Sorry Dave, I’m afraid I can’t do that! PCs refuse to shut down after Microsoft patch Patch Tuesday update makes Windows PCs refuse to shut down Cisco finally fixes max-severity bug under active attack for weeks Cisco finally fixes max-severity bug under attack for weeks Windows info-disclosure 0-day bug gets a fix as CISA sounds alarm Python libraries in AI/ML models can be poisoned w metadata Ruh-roh, there's a Cisco ISE bug POC on the loose Ruh-roh, there's a Cisco ISE bug POC on the loose CISA flags exploited Office relic alongside fresh HPE flaw Critical n8n bug allows unauthenticated server takeover Logitech mouse mayhem traced to expired dev certificate 'Heartbleed of MongoDB' under active exploit Microsoft fixes Message Queuing issue in new update Microsoft fixes Message Queuing issue in new update Critical-rated WatchGuard Firebox flaw under active attack HPE OneView RCE bug scores a perfect 10 Apple, Google forced to issue emergency 0-day patches Microsoft RasMan DoS 0-day gets unofficial patch - and a working exploit Microsoft RasMan 0-day gets an unofficial patch and exploit New React vulns leak secrets, invite DoS attacks Google fixes super-secret 8th Chrome 0-day Microsoft fixes Windows shortcut flaw exploited for years Microsoft fixes Windows shortcut flaw exploited for years Two Android 0-day bugs patched, plus 105 more fixes Fortinet finally cops to critical bug under active exploit Cisco warns of 'new attack variant' battering firewalls Docker Compose vulnerability opens door to host-level writes Microsoft issues out-of-band patch for critical WSUS flaw Vulnerable Rust crate exposes uv Python packager Oracle rushes out another emergency E-Business Suite patch 50K Cisco firewalls remain vulnerable to advanced attacks Exploits using GoAnywhere perfect-10 bug confirmed Critical Cisco firewall holes under active attack SonicWall releases rootkit-busting firmware update SolarWinds patches critical RCE - for the third time Fortra discloses 10/10 severity bug in GoAnywhere MFT OpenAI plugs ShadowLeak bug in ChatGPT Google pushes emergency patch for Chrome 0-day Apple backports patch to older kit after 0-day exploitation
Python libraries in AI/ML models can be poisoned w metadata
2026-01-14 · via The Register - Security: Patches

Vulnerabilities in popular AI and ML Python libraries used in Hugging Face models with tens of millions of downloads allow remote attackers to hide malicious code in metadata. The code then executes automatically when a file containing the poisoned metadata is loaded.

The open source libraries - NeMo, Uni2TS, and FlexTok - were created by Nvidia, Salesforce, and Apple working with the Swiss Federal Institute of Technology's Visual Intelligence and Learning Lab (EPFL VILAB), respectively. 

All three libraries use Hydra, another Python library maintained by Meta and commonly used as a configuration management tool for machine learning projects. Specifically, the vulnerabilities involve Hydra's instantiate() function.

REG AD

Palo Alto Networks' Unit 42 spotted the security flaws and reported them to the libraries' maintainers, who have since issued security warnings, fixes and, in two cases, CVEs. While the threat hunters say they haven't seen any in-the-wild abuse of these vulnerabilities to date, "there is ample opportunity for attackers to leverage them."

REG AD

"It is common for developers to create their own variations of state-of-the-art models with different fine-tunings and quantizations, often from researchers unaffiliated with any reputable institution," Unit 42 malware research engineer Curtis Carmony wrote in a Tuesday analysis. "Attackers would just need to create a modification of an existing popular model, with either a real or claimed benefit, and then add malicious metadata."

Plus, Hugging Face doesn't make the metadata contents as easily accessible as it does with other files, nor does it flag files using its safetensors or NeMo file formats as potentially unsafe.

Models on Hugging Face use more than 100 different Python libraries, and almost 50 of these use Hydra. "While these formats on their own may be secure, there is a very large attack surface in the code that consumes them," Carmony wrote.

The Register reached out to Hugging Face along with the libraries' maintainers (Meta, Nvidia, Salesforce, and Apple), and only received one response. It came from a Salesforce spokesperson who told us: "We proactively remediated the issue in July 2025 and have no evidence of unauthorized access to customer data."

We will update this story if we hear back from any of the other companies.

Hydra

As mentioned earlier, the vulnerabilities have to do with the way the  NeMo, Uni2TS, and FlexTok use the hydra.utils.instantiate() function to load configurations from model metadata, which allows for remote code execution (RCE).

The creators or maintainers of these libraries appear to have overlooked the fact instantiate() doesn't just accept the name of classes to instantiate. It also takes the name of any callable and passes it the provided arguments.

REG AD

By leveraging this, an attacker can more easily achieve RCE using built-in Python functions like eval() and os.system()

Meta has since updated Hydra's documentation with a warning that states RCE is possible when using instantiate() and urges users to add a block-list mechanism that compares the  the _target_ value against a list of dangerous functions before it is called. As of now, however, the block-list mechanism hasn't been made available in a Hydra release.

Here's a closer look at three of the AI/ML libraries that use Hydra's instantiate() function and the related vulnerabilities.

NeMo

NeMo is a PyTorch-based framework that Nvidia created in 2019. Its .nemo and .qnemo file extensions - TAR files containing a model_config.yaml file - store model metadata along with a .pt file or a .safetensors file, respectively.

The problem here is that the metadata isn't sanitized before these NeMo files make an API call to hydra.utils.instantiate(), and this allows an attacker to load .nemo files with maliciously crafted metadata, trigger the vulnerability, and achieve RCE or tamper with data.

Nvidia issued CVE-2025-23304 to track the high-severity bug and released a fix in NeMo version 2.3.2

NeMo also integrates with Hugging Face, and an attacker could follow the same code path to exploit this vulnerability once the model is downloaded.

REG AD

According to Unit 42, more than 700 models on Hugging Face from a variety of developers are provided in NeMo's file format. 

Uni2TS

Uni2TS is a PyTorch library created by Salesforce and used in its Morai foundation model for time series analysis along with a set of models published on Hugging Face

This library works exclusively with .safetensors files, created by Hugging Face as a safe format for storing tensors, as opposed to pickle, which allows for arbitrary code execution during the loading process.

Salesforce models using these libraries have hundreds of thousands of downloads on Hugging Face, and other users have also published several adaptations of these models.

Hugging Face also provides a PyTorchModelHubMixin interface for creating custom model classes that can be integrated with the rest of its framework. 

This interface provides a specific mechanism for registering coder functions, and - you guessed it - the uni2TS library uses this mechanism to decode the configuration of a specific argument via a call to hydra.utils.instantiate().

On July 31, Salesforce issued CVE-2026-22584 and deployed a fix.

FlexTok

Early last year, Apple and EPFL VILAB created FlexTok, a Python-based framework that enables AI/ML models to process images.

As with uni2TS, FlexTok only uses safetensors files, it extends PyTorchModelHubMixin, and it can load configuration and meta data from a .safetensors file. After it decodes the metadata, FlexTok passes it to hydra.utils.instantiate(), which triggers the vulnerability.

"As of January 2026, no models on Hugging Face appear to be using the ml-flextok library other than those models published by EPFL VILAB, which have tens of thousands of downloads in total," Carmony wrote.

Apple and EPFL VILAB fixed these security issues by using YAML to parse their configurations. The maintainers also added an allow list of classes that can call Hydra's instantiate() function, and updated documentation to say only models from trusted sources should be loaded. ®