Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from Vendor (https://github.com/huggingface/diffusers).
CVSS VectorVendor: https://github.com/huggingface/diffusers
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 3 pypi packages depend on diffusers (2 direct, 1 indirect)
Ecosystem-wide dependent count for version 0.38.0.
DescriptionCVE.org
Impact
A trust_remote_code bypass in DiffusionPipeline.from_pretrained allows arbitrary remote code execution despite the user passing trust_remote_code=False (or omitting it, which is the default). The vulnerability has three variants, all sharing the same root cause - the trust_remote_code gate was implemented inside DiffusionPipeline.download() rather than at the actual dynamic-module load site, so any code path that bypassed or short-circuited download() also bypassed the security check:
- Cross-repo
custom_pipeline.DiffusionPipeline.from_pretrained('repoA', custom_pipeline='attacker/repoB', trust_remote_code=False)- the gate evaluated againstrepoA's file list rather thanrepoB's, sorepoB'spipeline.pywas loaded and executed. - Local snapshot + Hub
custom_pipeline.DiffusionPipeline.from_pretrained('/local/snapshot', custom_pipeline='attacker/repoB', trust_remote_code=False)- the local-path branch never invokeddownload(), so the gate was never reached and remote code fromrepoBexecuted. - Local snapshot with custom components.
DiffusionPipeline.from_pretrained('/local/snapshot', trust_remote_code=False)where the snapshot contains custom component files (e.g.unet/my_unet_model.py) referenced frommodel_index.json- same root cause; the local path skippeddownload()and custom component code executed.
Silent remote code execution on the victim's machine. Anyone calling DiffusionPipeline.from_pretrained with custom pipelines is impacted.
Patches
Yes. Fixed in diffusers 0.38.0 via PR #13448. All users on versions < 0.38.0 should upgrade:
pip install --upgrade "diffusers>=0.38.0"The fix moves the trust_remote_code gate out of DiffusionPipeline.download() and into get_cached_module_file in src/diffusers/utils/dynamic_modules_utils.py, which is the actual chokepoint for every dynamic module load (local, Hub, or community mirror). All three variants now raise ValueError instead of executing untrusted code.
Workarounds
If upgrading immediately is not possible:
- Only call
from_pretrainedwithpretrained_model_name_or_path,custom_pipeline, and local snapshot directories from fully trusted sources that have been audited. - Do not pass
custom_pipeline=pointing at a Hub repository different from the primarypretrained_model_name_or_pathbefore reading itspipeline.py. - Before calling
from_pretrainedon a local snapshot, inspect the snapshot for unexpected*.pyfiles, especially under component subdirectories (unet/,scheduler/, etc.) and at the snapshot root.
These are mitigations, not fixes - the only complete remediation is upgrading to 0.38.0.
Resources
- Fix: https://github.com/huggingface/diffusers/pull/13448
- Original issue: https://github.com/huggingface/diffusers/issues/13446
- Release notes: https://github.com/huggingface/diffusers/releases/tag/v0.38.0
- CWE-94: https://cwe.mitre.org/data/definitions/94.html
AnalysisAI
Remote code execution in Hugging Face diffusers library (all versions < 0.38.0) bypasses the trust_remote_code=False security gate when users load models via DiffusionPipeline.from_pretrained. Three distinct attack vectors exist: cross-repository custom_pipeline parameters, local snapshots combined with Hub custom_pipeline references, and local snapshots containing malicious custom component files. The vulnerability stems from implementing the trust_remote_code check in DiffusionPipeline.download() instead of at the actual dynamic module load point, allowing multiple code paths to skip the security control entirely. Vendor-released patch: diffusers 0.38.0 (confirmed by GitHub advisory GHSA-98h9-4798-4q5v and PR #13448). No public exploit identified at time of analysis; exploitation requires user interaction (loading a model from an attacker-controlled source).
Technical ContextAI
The diffusers library is Hugging Face's Python package for loading and running pretrained diffusion models (Stable Diffusion, DALL-E variants, etc.) from the Hugging Face Hub or local storage. The vulnerability exploits the library's dynamic module loading mechanism, which allows models to include custom Python code (pipeline.py, custom component scripts) that executes during model initialization. The trust_remote_code parameter was intended as a security gate to prevent arbitrary code execution from untrusted sources, following the pattern used in the transformers library. However, the implementation placed the check in DiffusionPipeline.download() rather than in get_cached_module_file() within src/diffusers/utils/dynamic_modules_utils.py, which is the universal chokepoint for all dynamic module imports. This architectural flaw (CWE-94: Improper Control of Generation of Code) meant that code paths bypassing download() - specifically, the local-path branch and cross-repository custom_pipeline resolution - never encountered the security check. The CPE pkg:pip/diffusers indicates this affects all Python environments with the pip-installed package. The fix in PR #13448 refactors the gate into get_cached_module_file and threads the trust_remote_code parameter through the entire call chain (from_pretrained → load_sub_model → get_class_obj_and_candidates → get_cached_module_file), ensuring enforcement regardless of code path.
RemediationAI
Upgrade to diffusers 0.38.0 or later using pip install --upgrade 'diffusers>=0.38.0' per the vendor advisory at https://github.com/huggingface/diffusers/security/advisories/GHSA-98h9-4798-4q5v. The fix in PR #13448 (commit a37f6f8394ac2a7ee8360c3abea811efe54512b1) relocates the trust_remote_code enforcement from DiffusionPipeline.download() into get_cached_module_file(), ensuring all three exploit variants now raise ValueError instead of executing untrusted code. If immediate upgrade is blocked by dependency constraints, apply these compensating controls: (1) Audit all custom_pipeline parameters in from_pretrained calls to ensure they point only to repositories you control or have manually code-reviewed - never pass user-supplied repository names. Trade-off: eliminates ability to dynamically load community pipelines. (2) Before loading any local model snapshot, recursively scan the directory for unexpected .py files, especially under component subdirectories (unet/, scheduler/, vae/, text_encoder/) and inspect model_index.json for custom class_name entries. Trade-off: manual, error-prone process that doesn't scale. (3) Run model loading in isolated containers or VMs with no network egress and minimal filesystem access, treating all from_pretrained calls as potentially hostile. Trade-off: significant operational overhead, breaks workflows requiring network access during model load. These mitigations reduce but do not eliminate risk - the vendor explicitly states 'These are mitigations, not fixes - the only complete remediation is upgrading to 0.38.0.'
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30334
GHSA-98h9-4798-4q5v