Palo Alto Networks Unit42 has disclosed critical remote code execution vulnerabilities affecting widely-used AI and machine learning formats and libraries including NVIDIA NeMo, Salesforce platforms, and EPFL FlexTok. The vulnerabilities stem from libraries using metadata to configure complex models where shared components instantiate classes using attacker-controlled configuration data.

NVIDIA issued CVE-2025-23304 rated high severity with a fix released in NeMo version 2.3.2. Over 700 models on HuggingFace are provided in NeMo format, including popular models like NVIDIA Parakeet. The vulnerability appears to have existed since at least 2020, affecting the extended PyTorch format that NeMo uses for model serialization.

Salesforce received CVE-2026-22584 rated high severity with patches deployed on July 31, 2025. The FlexTok researchers from EPFL VILAB updated their code in June 2025 to resolve issues affecting their machine learning tokenization library. Apple has also implemented fixes for similar vulnerabilities in their AI frameworks.

The technical root cause involves unsafe deserialization of model configuration files. While PyTorch disables arbitrary execution by default and offers safeguards like module allowlisting, extensions and wrapper libraries failed to implement equivalent protections. Embedded pickle files within model archives could execute arbitrary code when models are loaded.

Unit42 has not identified model files exploiting these vulnerabilities in the wild, but emphasizes ample opportunity exists given the proliferation of community-created model variations. Organizations should update affected libraries immediately, audit model sources carefully, and implement model scanning before deployment. Researchers recommend only loading models from trusted sources and verifying model file integrity.