Metadata Mayhem: Python Libraries Turned Into RCE Traps

Key Takeaways

• Two CVEs were reported for metadata-driven RCE risks in AI/ML Python libraries.
• The attack path relies on loading untrusted model files or artifacts into ML pipelines.
• The highest risk occurs in automated training, evaluation, and inference workflows.
• This is a supply chain and pipeline security issue, not a prompt injection problem.
• Compromise could enable credential theft, persistence, and downstream model tampering.

‍Metadata-Driven RCE Threatened AI/ML Python Workflows

CVE-2025-23304 and CVE-2026-22584 are vulnerabilities associated with metadata-driven execution risks in AI/ML Python libraries used across model development and deployment pipelines. Security research indicates that loading crafted model artifacts can trigger unsafe execution behaviors, resulting in remote code execution under certain conditions. These flaws matter because AI pipelines frequently ingest third-party models, datasets, and evaluation assets, increasing exposure to supply chain compromise.

What We Know

Security research published this week highlighted a class of vulnerabilities affecting AI/ML Python libraries where model artifacts, metadata, or related files can cause unsafe execution during load or processing. These issues were associated with CVE-2025-23304 and CVE-2026-22584, and were described as enabling remote code execution in workflows that ingest untrusted AI artifacts.

Public reporting emphasizes that this risk is not limited to a single vendor or model family. Instead, it reflects a recurring design pattern across ML ecosystems: Python-based libraries often load model files that contain structured metadata, serialized objects, or configuration elements that may be interpreted in unsafe ways. When model loading occurs automatically in CI/CD pipelines, evaluation frameworks, or managed inference systems, malicious artifacts can reach execution paths without human review.

While public sources do not consistently confirm exploitation in the wild, the attack preconditions are realistic. Many organizations download models from public registries, community repositories, or vendor-provided bundles. The risk is highest in environments where pipelines accept external artifacts and run them with privileged access to credentials, data, or GPU infrastructure.

What Could Happen

These vulnerabilities represent a pipeline and artifact ingestion failure. The core issue is that AI/ML libraries often treat model artifacts and metadata as trusted inputs. If a crafted model file includes malicious content that triggers unsafe parsing, deserialization, or execution logic, it can lead to remote code execution when the artifact is loaded.

In practical terms, this could occur in multiple common scenarios: an ML engineer downloads a pre-trained model from a public repository, a CI job pulls an artifact from a registry for evaluation, or an automated inference service retrieves a model bundle at runtime. Once loaded, the malicious payload could execute in the context of the process, enabling theft of environment variables, cloud keys, tokens, or credentials used to access training data and model registries.

AI-specific workflow characteristics make this risk worse. AI pipelines often run on high-privilege infrastructure, including GPU clusters, shared notebooks, and cloud-managed environments. They also frequently handle sensitive data, proprietary training sets, and internal APIs. RCE in these environments is not just a workstation compromise. It can become a full AI platform breach, including model tampering and long-term persistence in MLOps systems.

Why It Matters

Metadata-driven RCE vulnerabilities are especially dangerous for AI environments because they exploit a core operational reality: modern AI systems depend heavily on third-party artifacts. Models, adapters, embeddings, evaluation datasets, and pipeline components are frequently pulled from external sources. Even when organizations use reputable repositories, attackers can poison upstream sources or impersonate trusted contributors.

This vulnerability class also highlights that many AI security failures are not “AI behavior” issues. They are software supply chain and infrastructure risks expressed through AI workflows. A malicious model file is functionally equivalent to a malicious package or binary. The difference is that model artifacts are often treated as data, not executable content, and therefore may bypass traditional security controls.

Business impact can be severe. RCE can expose sensitive training data, customer information, internal prompts, and system credentials. It can also enable model theft, sabotage, or covert manipulation. For organizations deploying AI into production, this creates a governance challenge: model ingestion must be treated as a controlled process, with validation, provenance, and continuous monitoring. Without this, AI adoption increases attack surface faster than security teams can respond.

PointGuard AI Perspective

CVE-2025-23304 and CVE-2026-22584 reinforce a critical AI security lesson: the model supply chain is now part of the enterprise attack surface. AI teams routinely ingest artifacts that are not produced internally, including foundation models, fine-tuned variants, adapters, evaluation sets, and serialized components. When those artifacts can trigger code execution through metadata or unsafe parsing behaviors, the entire ML pipeline becomes an execution environment for adversaries.

PointGuard AI helps organizations reduce this risk by improving visibility and control across the AI application and model lifecycle. This includes identifying where AI pipelines pull models and artifacts from, where those artifacts are stored, and which workflows automatically load them. PointGuard AI also supports stronger governance by enabling teams to define policies around trusted sources, artifact provenance, and risk-based approvals for model ingestion.

For organizations running MLOps in production, PointGuard AI helps detect and prioritize high-risk exposure patterns, including pipelines that load third-party artifacts into privileged environments. This is especially important for GPU-backed systems, notebook environments, and automation workflows where secrets and credentials are commonly present.

As agentic and autonomous AI adoption grows, the attack surface will increasingly shift toward the AI supply chain. Securing AI pipelines requires proactive controls that treat models as high-risk software components, not passive data files. PointGuard AI enables organizations to adopt AI faster while maintaining a trustworthy security baseline.

Incident Scorecard Details

Total AISSI Score: 7.3/10

Criticality = 8.0, Remote code execution risk in widely used AI/ML workflows, AISSI weighting: 25%

Propagation = 7.0, High potential spread through shared model registries and automated pipelines, AISSI weighting: 20%

Exploitability = 7.5, Exploitation depends on artifact ingestion but can be triggered by routine loading, AISSI weighting: 15%

Supply Chain = 8.5, Strong supply chain relevance due to third-party model and artifact dependency, AISSI weighting: 15%

Business Impact = 6.0, Potential for credential theft, infrastructure compromise, and model tampering, AISSI weighting: 25%

Sources

Palo Alto Networks Unit 42: RCE Vulnerabilities in AI Python Libraries

NVD: CVE-2025-23304

NVD: CVE-2026-22584