1. Forum
  2. tqwNet
  3. TQW GENTECH

  • Python libraries used in top AI and ML tools hacked - Nvidia, Sal

    From TechnologyDaily@1337:1/100 to All on Wed Jan 14 15:45:08 2026
    Python libraries used in top AI and ML tools hacked - Nvidia, Salesforce and other libraries all at risk

    Date:
    Wed, 14 Jan 2026 15:35:00 +0000

    Description:
    The bugs have been fixed, so users should patch now, experts warn.

    FULL STORY ======================================================================Palo Alto found critical flaws in AI/ML libraries NeMo, Uni2TS, and FlexTok Vulnerabilities allowed arbitrary code execution via malicious model metadata All patched by mid-2025; no exploitation observed as of December 2025

    Security researchers from Palo Alto Networks have discovered vulnerabilities used in some top Artificial Intelligence (AI) and machine Learning (ML) tools which, if abused, could allow threat actors to execute malicious code on target endpoints, remotely.

    In a security advisory , the researchers said that around April 2025, they discovered bugs in three open source Python libraries published by Apple, Salesforce, and NVIDIA, on their GitHub repositories.

    The libraries are called NeMo, Uni2TS, and FlexTok. NeMo is a PyTorch-based framework for research, Uni2TS a PyTorch library for research used by Salesforces Morai, and FlexTok is a Python -based framework for research, enabling AL and ML models to process images. Cumulatively, they have more
    than 10 million downloads on HuggingFace (a platform that hosts open-source
    AI models and other tools). Bugs fixed

    The vulnerabilities stem from libraries using metadata to configure complex models and pipelines, where a shared third-party library instantiates classes using this metadata, Palo Alto explained in its advisory.

    Vulnerable versions of these libraries simply execute the provided data as code. This allows an attacker to embed arbitrary code in model metadata,
    which would automatically execute when vulnerable libraries load these modified models.

    All three developers were notified in April 2025, and by the end of July, all were fixed. NVIDIA issued CVE-2025-23304 and gave it a high severity rating (7.8/10) and released a fix in NeMo 2.3.2. FlexTok updated its code in June 2025, while Salesforce issued CVE-2026-22584, gave it a critical rating (9.8/10), and fixed it in July 2025.

    Palo Alto says that as of December 2025, there is no evidence that these vulnerabilities are being abused in the wild. All of the bugs were discovered by the companys Prisma AIRS tool.

    Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the
    Follow button!

    And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/python-libraries-used-in-top-ai-and-ml- tools-hacked-nvidia-salesforce-and-other-libraries-all-at-risk


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)