Python libraries used in top AI and ML tools hacked - Nvidia, Salesforce and other libraries all at risk (www.techradar.com)

Security researchers from Palo Alto Networks discovered critical vulnerabilities in three popular open-source Python libraries—NeMo, Uni2TS, and FlexTok—used in AI and machine learning frameworks. These flaws could allow malicious actors to execute arbitrary code by embedding harmful scripts in model metadata. The libraries are widely adopted, collectively boasting over 10 million downloads on HuggingFace, which amplifies the significance of the vulnerabilities. Developers from Nvidia, Salesforce, and others were notified and implemented fixes by mid-2025, with Nvidia issuing a high-severity CVE-2025-23304 and Salesforce a critical CVE-2026-22584. The discovery underscores the importance of security in AI development, particularly as these models increasingly integrate into various applications and systems. By exposing vulnerabilities that allow code execution through model metadata, the potential for exploitation could have been severe if left unaddressed. Fortunately, as of December 2025, there were no reported instances of exploitation, highlighting the effective response from developers in mitigating risks posed by these vulnerabilities.