Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 3 pypi packages depend on diffusers (2 direct, 1 indirect)
Ecosystem-wide dependent count for version 0.38.0.
DescriptionGitHub Advisory
Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trust_remote_code=True safeguard when loading pipelines from Hugging Face Hub repositories. The _resolve_custom_pipeline_and_cls function in pipeline_loading_utils.py performs string interpolation on the custom_pipeline parameter using f"{custom_pipeline}.py". When custom_pipeline is not supplied by the user, it defaults to None, which Python interpolates as the literal string "None.py". If an attacker publishes a Hub repository containing a file named None.py with a class that subclasses DiffusionPipeline, the file is automatically downloaded and executed during a standard DiffusionPipeline.from_pretrained() call with no additional keyword arguments. The trust_remote_code check in DiffusionPipeline.download() is bypassed because it evaluates custom_pipeline is not None as False (since the kwarg was never supplied), while the downstream code path that actually loads the module resolves the None value into a valid filename. An attacker can achieve silent arbitrary code execution by publishing a malicious model repository with a None.py file and a standard-looking model_index.json that references a legitimate pipeline class name, requiring only that a victim calls from_pretrained on the repository. This vulnerability is fixed in 0.38.0.
AnalysisAI
Remote code execution in HuggingFace Diffusers library (versions < 0.38.0) allows attackers to execute arbitrary Python code when victims load malicious pipelines from Hugging Face Hub repositories. The vulnerability bypasses the trust_remote_code=True safeguard through a type coercion flaw where None values are interpolated as 'None.py' filenames. Attackers can achieve silent code execution by publishing repositories containing a malicious None.py file alongside legitimate-looking configuration, requiring only that victims call DiffusionPipeline.from_pretrained() on the attacker's repository. EPSS data not available; no public exploit identified at time of analysis. Vendor-released patch: version 0.38.0.
Technical ContextAI
The vulnerability exploits Python's string interpolation behavior in the _resolve_custom_pipeline_and_cls function within pipeline_loading_utils.py. When the custom_pipeline parameter is not supplied, Python's default None value undergoes string interpolation via f-string formatting (f'{custom_pipeline}.py'), producing the literal string 'None.py'. The trust_remote_code security check evaluates 'custom_pipeline is not None' as False when the parameter is absent from kwargs, but downstream module loading logic treats the interpolated 'None.py' as a valid filename target. This creates a logic bypass where the security gate checks for explicit None but the file resolution accepts implicit string 'None'. The vulnerability is a CWE-94 (Improper Control of Generation of Code) instance, specifically exploiting type coercion between NoneType and string representations in security-critical path validation. The affected component is the Diffusers library's pipeline loading mechanism from Hugging Face Hub, which uses huggingface_hub's snapshot_download functionality with allow_patterns filtering that inadvertently includes attacker-controlled filenames.
RemediationAI
Upgrade HuggingFace Diffusers to version 0.38.0 or later, which includes the fix from GitHub pull request #13448 and commit a37f6f8394ac2a7ee8360c3abea811efe54512b1. For Python environments managed via pip, execute 'pip install --upgrade diffusers>=0.38.0' and verify installation with 'pip show diffusers'. Organizations unable to immediately upgrade should implement compensating controls: restrict DiffusionPipeline.from_pretrained() calls to explicitly trusted repository sources through application-layer allowlists of Hub repository IDs, deploy network egress filtering to block unauthorized connections to huggingface.co from production ML inference environments (note: this breaks legitimate model downloads and requires pre-cached models), or enforce mandatory code review of all model_index.json configurations before loading with validation that _class_name references only standard pipeline classes and no None.py files exist in repository snapshots. These workarounds significantly impact operational workflows and model update agility. Additionally, audit existing cached model directories (typically ~/.cache/huggingface/hub/) for suspicious None.py files as indicators of potential prior exploitation. Consult the official advisory at https://github.com/huggingface/diffusers/security/advisories/GHSA-j7w6-vpvq-j3gm for vendor guidance.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30332
GHSA-j7w6-vpvq-j3gm