Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from Vendor (https://github.com/huggingface/diffusers) · only source for this CVE.
CVSS VectorVendor: https://github.com/huggingface/diffusers
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Blast Radius
ecosystem impact- 3 pypi packages depend on diffusers (2 direct, 1 indirect)
Ecosystem-wide dependent count for version 0.38.0.
DescriptionCVE.org
Background
This vulnerability is found in the diffusers package - the transformers-equivalent library for diffusion models.
It is found in the DiffusionPipeline.from_pretrained flow, which is used to load a pipeline from the HuggingFace Hub.
This function has a trust_remote_code guard: if the repository’s model_index.json references a custom pipeline class defined in a .py file in the repo, the load is blocked unless trust_remote_code=True is explicitly passed:
ValueError: The repository for attacker/repo contains custom code in pipeline.py
which must be executed to correctly load the model. You can inspect the repository
content at https://hf.co/attacker/repo/blob/main/pipeline.py.
Please pass the argument `trust_remote_code=True` to allow custom code to be run.The vulnerability allows arbitrary code execution through the custom pipeline flow from a Hub repo, with no custom_pipeline or trust_remote_code kwargs passed. The from_pretrained call succeeds and returns a functional pipeline.
---
Naive Flow
DiffusionPipeline.from_pretrained begins by popping all relevant arguments from kwargs into local variables, then calls DiffusionPipeline.download() to fetch the repo files:
# pipeline_utils.py:853
cached_folder = cls.download(
pretrained_model_name_or_path,
...
custom_pipeline=custom_pipeline,
trust_remote_code=trust_remote_code,
...
)Inside download(), model_index.json is fetched first as a standalone file via hf_hub_download:
# pipeline_utils.py:1636
config_file = hf_hub_download(
pretrained_model_name,
cls.config_name,
...
)
config_dict = cls._dict_from_json_file(config_file)This config is used to detect custom pipeline code and enforce the trust check:
# pipeline_utils.py:1672
if custom_pipeline is None and isinstance(config_dict["_class_name"], (list, tuple)):
custom_pipeline = config_dict["_class_name"][0]
load_pipe_from_hub = custom_pipeline is not None and f"{custom_pipeline}.py" in filenames
if load_pipe_from_hub and not trust_remote_code:
raise ValueError(...)After the check passes, snapshot_download then fetches all files and saves them to disk:
# pipeline_utils.py:1778
cached_folder = snapshot_download(
pretrained_model_name,
...
revision=revision,
allow_patterns=allow_patterns,
...
)Back in from_pretrained, the config is read a second time from the downloaded snapshot, and_resolve_custom_pipeline_and_cls reads the config to re-check if custom code needs to be loaded:
# pipeline_loading_utils.py:974
def _resolve_custom_pipeline_and_cls(folder, config, custom_pipeline):
custom_class_name = None
if os.path.isfile(os.path.join(folder, f"{custom_pipeline}.py")):
custom_pipeline = os.path.join(folder, f"{custom_pipeline}.py")
elif isinstance(config["_class_name"], (list, tuple)) and os.path.isfile(
os.path.join(folder, f"{config['_class_name'][0]}.py")
):
custom_pipeline = os.path.join(folder, f"{config['_class_name'][0]}.py")
custom_class_name = config["_class_name"][1]
return custom_pipeline, custom_class_nameIf the config points to a .py file, it is imported.
---
The Vulnerability
hf_hub_download and snapshot_download are two independent HTTP calls to the Hub, both resolving the repository’s default branch (if revision=None) to its current HEAD at call time. There is no atomicity guarantee between them - if the repository is updated between the two calls, they will resolve to different commits and download different content, with no warning displayed to the user.
The trust check in download() operates on the content fetched by hf_hub_download (commit A). The snapshot_download call that immediately follows can silently fetch a newer commit (commit B). The config in the newer commit will be the one parsed by _resolve_custom_pipeline_and_cls.
Therefore, it’s possible to introduce remote code into the repo between the two calls, bypassing the trust check.
The race window is everything between the two Hub calls inside download():
# pipeline_utils.py:1636
config_file = hf_hub_download(...)
# ← sees commit A, trust check passes
# ... filenames processing, pattern building, pipeline_is_cached check ...
# ~~~ ATTACKER PUSHES COMMIT B HERE ~~~
# pipeline_utils.py:1778
cached_folder = snapshot_download(...)
# ← sees commit B, downloads pipeline.pyFor the exploit, commit A carries a clean config with _class_name as a plain string, which causes load_pipe_from_hub to be False and the trust check to pass. Commit B changes _class_name to a list and adds pipeline.py:
Commit A - model_index.json:
{
"_class_name": "FluxPipeline",
"_diffusers_version": "0.31.0"
}Commit B - model_index.json:
{
"_class_name": ["pipeline", "FluxPipeline"],
"_diffusers_version": "0.31.0"
}When from_pretrained reads the snapshot after download() returns, config["_class_name"] is now a list, pipeline.py exists on disk (fetched by snapshot_download), and _resolve_custom_pipeline_and_cls resolves custom_pipeline to the local path of that file. _get_pipeline_class then imports it - with no trust check at this point in the code.
---
PoC
- Create a Hub repo with commit A’s
model_index.json(plain string_class_name). - Run
DiffusionPipeline.from_pretrained("attacker/repo")with a breakpoint set atpipeline_utils.py:1778(thesnapshot_downloadcall). This is for the window to be large enough to manually respond to it. - When execution pauses at the breakpoint, push commit B: update
model_index.jsonto use a list_class_nameand addpipeline.py. - Resume execution.
snapshot_downloadfetches commit B;/tmp/pwnedis written during the subsequent_get_pipeline_classcall.
---
Constraints
- Does not apply when
revisionis pinned to a specific commit hash - both Hub calls resolve to the same content. - Does not apply when loading from a local directory.
- If all expected files are already present in the local HF cache,
download()returns early before reachingsnapshot_download(line 1767 early-return), closing the race window. The exploit therefore requires a first (or forced) download.
---
Exploitability
The window between the two calls is very short. Local testing resulted in a window of approximately ~0.5 seconds for the attacker to push the change. This is, of course, unfeasible to accomplish for each and every new download. However, given a popular repo with many downloads per day, one may achieve statistical success by changing the repo’s state every once in a while or every few seconds, with some percentage of downloaders falling on the exact window.
---
Impact
The vulnerability is a silent RCE - it allows arbitrary code to be loaded through the custom pipeline flow from a Hub repo, with no custom_pipeline or trust_remote_code kwargs. The from_pretrained call succeeds and returns a fully functional pipeline.
AnalysisAI
Remote code execution in Hugging Face diffusers (Python package, versions < 0.38.0) is achievable via a TOCTOU race between two sequential Hub downloads inside DiffusionPipeline.from_pretrained, letting a malicious repo owner bypass the trust_remote_code guard and silently execute arbitrary Python during model loading. Exploitation requires user interaction (loading a malicious repo without pinning a revision) and high attack complexity due to a sub-second race window, but no public exploit beyond the reporter's PoC is identified at time of analysis. Affected users running diffusers <0.38.0 should upgrade to 0.38.0 where the issue is fixed.
Technical ContextAI
The diffusers library is the de facto loader for diffusion-model pipelines from the Hugging Face Hub and mirrors transformers' from_pretrained pattern. The flaw is a CWE-367 Time-of-Check Time-of-Use race: download() calls hf_hub_download to fetch model_index.json (commit A) and enforces the trust_remote_code check on that content, then calls snapshot_download separately which independently resolves the branch HEAD and may fetch a different commit (commit B). Because both calls resolve revision=None to whatever the branch points to at call time, an attacker who pushes between them can swap a benign string _class_name for a list that points to a freshly added pipeline.py; the downstream _resolve_custom_pipeline_and_cls in pipeline_loading_utils.py then imports the attacker-controlled .py without re-running the trust gate. Affected CPE is pkg:pip/diffusers.
RemediationAI
Upgrade to diffusers 0.38.0 or later (Vendor-released patch: 0.38.0) per the GHSA advisory at https://github.com/huggingface/diffusers/security/advisories/GHSA-7wx4-6vff-v64p. Until the upgrade lands, eliminate the race by always passing an explicit revision pinned to a full commit SHA (not a branch name or tag) to from_pretrained, which forces both hf_hub_download and snapshot_download to resolve to identical content; the trade-off is that consumers lose automatic upstream updates and must rotate pins manually. Additional compensating controls: restrict from_pretrained usage to vetted, internally mirrored repositories rather than arbitrary Hub paths (trade-off: operational overhead of mirroring), pre-populate the local HF cache so download() takes the early-return path before snapshot_download (trade-off: only protects already-cached models), and run any first-time loads of untrusted repos inside an isolated sandbox or container without network/credential access (trade-off: friction for experimentation workflows).
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44711
GHSA-7wx4-6vff-v64p