Remote Code Execution With Modern AI/ML Formats and Librarie...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://unit42.paloaltonetworks.com/rce-vulnerabilities-in-ai-python-libraries/
• Blog Title: Remote Code Execution With Modern AI/ML Formats and Libraries
• Suggested Section: 🤖 AI → AI Models RCE (or a new page under AI Security): "Hydra instantiate() config injection to RCE (model metadata abuse)"; cross-link from Web/Python deserialization and supply-chain sections

🎯 Content Summary

Remote Code Execution With Modern AI/ML Formats and Libraries (Unit 42, Published: January 13, 2026)

Unit 42 identified remote code execution (RCE) vulnerabilities in three AI/ML Python libraries (NVIDIA NeMo, Salesforce uni2TS, Apple/EPFL VILAB ml-flextok/FlexTok). The core issue is unsafe object/callable instantiation from untrusted model metadata/config. Even when “safe” formats such as safetensors are used (no pickle execution), consumer libraries reintrodu...

🔧 Technical Details

Hydra config-to-RCE via instantiate(): If an application loads untrusted configuration/metadata and passes it into hydra.utils.instantiate(), an attacker can set _target_ to an arbitrary callable (not just a class) and supply arguments (e.g., _target_ = builtins.exec with a Python code string). When the victim loads the artifact (model file or repo config), Hydra resolves/imports the target and executes it, yielding RCE.

Bypassing naive string block-lists: Defenses that block only exact _target_ strings before import are bypassable by using alternate import paths or indirections (e.g., stdlib indirection like enum.bltns.eval) or by referencing dangerous functions through application namespaces that resolve to system modules (e.g., nemo.core.classes.common.os.system resolving to posix). Robust mitigation must validate the resolved imported object...

🤖 Agent Actions

Summary:

• Added Hydra-based metadata RCE coverage (NeMo/uni2TS/FlexTok) to AI Models RCE page, including table entry, payload example, bypass notes, and mitigation patterns (allow-listing resolved objects, avoiding unsafe parsing).
• Highlighted how Hydra block-lists can be bypassed and noted DoS risk from ast.literal_eval.
• Updated references with Unit42 blog and Hydra docs/commit links.

Tests:

• Not run (documentation-only changes).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://unit42.paloaltonetworks.com/rce-vulnerabilities-in-ai-python-libraries/

Content Categories: Based on the analysis, this content was categorized under "🤖 AI → AI Models RCE (or a new page under AI Security): "Hydra instantiate() config injection to RCE (model metadata abuse)"; cross-link from Web/Python deserialization and supply-chain sections".

Repository Maintenance:

• MD Files Formatting: 936 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge