Industry Newshydrarcesafetensorshuggingface
Libraries Expose Hydra Instantiate Remote Code Execution
|
8.9
Palo Alto Networks' Unit 42 disclosed vulnerabilities in three popular AI/ML Python libraries—Nvidia's NeMo, Salesforce's Uni2TS, and Apple's/EPFL VILAB's FlexTok—that allow remote code execution when hydra.utils.instantiate() processes malicious model metadata used in Hugging Face models. Maintainers have released fixes and advisories (including CVE-2025-23304 and CVE-2026-22584), and the issue raises concerns about a large attack surface across roughly 50 Hydra-using libraries on Hugging Face.
Scoring Rationale
High practical impact and official fixes drive score; limited evidence of in-the-wild exploitation slightly tempers urgency.
Practice with real Retail & eCommerce data
90 SQL & Python problems · 15 industry datasets
Used by DS/ML engineers at top companies
250 free problems · No credit card
See all Retail & eCommerce problems
