{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/diffusers/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["diffusers (\u003c 0.38.0)"],"_cs_severities":["high"],"_cs_tags":["rce","huggingface","diffusers"],"_cs_type":"advisory","_cs_vendors":["Hugging Face"],"content_html":"\u003cp\u003eA remote code execution (RCE) vulnerability has been identified in Hugging Face diffusers library versions prior to 0.38.0. This flaw stems from insufficient validation in the \u003ccode\u003eDiffusionPipeline.from_pretrained\u003c/code\u003e function when loading custom pipelines from the Hugging Face Hub. By including a file named \u003ccode\u003eNone.py\u003c/code\u003e in a model repository, an attacker can bypass the \u003ccode\u003etrust_remote_code\u003c/code\u003e check, leading to arbitrary code execution when a user loads the model. This vulnerability allows attackers to execute malicious code on a user\u0026rsquo;s machine simply by having them load a seemingly benign model, without requiring any explicit trust or custom pipeline specifications. The vulnerability was introduced due to a flaw in how the library resolves custom pipeline paths, leading to the unintentional inclusion of \u003ccode\u003eNone.py\u003c/code\u003e as a valid custom pipeline file.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker creates a Hugging Face Hub repository containing a malicious \u003ccode\u003eNone.py\u003c/code\u003e file, alongside other model files and a \u003ccode\u003emodel_index.json\u003c/code\u003e configuration file.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eNone.py\u003c/code\u003e file contains malicious code disguised within a class that inherits from \u003ccode\u003eDiffusionPipeline\u003c/code\u003e, such as shadowing \u003ccode\u003eFluxPipeline\u003c/code\u003e and executing arbitrary commands like writing a file to \u003ccode\u003e/tmp/pwned\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA victim user attempts to load the model using \u003ccode\u003eDiffusionPipeline.from_pretrained('attacker/malicious-repo')\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efrom_pretrained\u003c/code\u003e function calls \u003ccode\u003eDiffusionPipeline.download()\u003c/code\u003e, which ordinarily checks for \u003ccode\u003etrust_remote_code\u003c/code\u003e when a custom pipeline is specified.\u003c/li\u003e\n\u003cli\u003eDue to a flaw, \u003ccode\u003e_resolve_custom_pipeline_and_cls\u003c/code\u003e resolves \u003ccode\u003ecustom_pipeline\u003c/code\u003e to \u003ccode\u003eNone.py\u003c/code\u003e if the file exists in the repo, bypassing the \u003ccode\u003etrust_remote_code\u003c/code\u003e check because the check evaluated \u003ccode\u003ecustom_pipeline is None -\u0026gt; False\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e_get_pipeline_class\u003c/code\u003e function is then called with the resolved \u003ccode\u003eNone.py\u003c/code\u003e path, loading and executing the malicious code within the file.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes, performing actions such as creating a file, establishing a reverse shell, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe pipeline is instantiated and appears functional to the user, masking the underlying malicious activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to achieve remote code execution on the victim\u0026rsquo;s machine. This can lead to complete system compromise, data theft, or deployment of further malicious payloads. The vulnerability affects any user who loads a malicious model from the Hugging Face Hub using the vulnerable versions of the diffusers library.  The impact is significant because it requires no user interaction beyond loading a model, making it easy to exploit at scale.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003ediffusers\u003c/code\u003e package to version 0.38.0 or later using \u003ccode\u003epip install --upgrade \u0026quot;diffusers\u0026gt;=0.38.0\u0026quot;\u003c/code\u003e to patch the vulnerability as recommended by the vendor.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule \u003ccode\u003eDetect Diffusers None.py RCE\u003c/code\u003e to detect the execution of \u003ccode\u003eNone.py\u003c/code\u003e within the diffusers library.\u003c/li\u003e\n\u003cli\u003ePrioritize scanning Hugging Face Hub repositories before use, looking for unexpected \u003ccode\u003e*.py\u003c/code\u003e files, especially \u003ccode\u003eNone.py\u003c/code\u003e, using manual code review or automated tools.\u003c/li\u003e\n\u003cli\u003eAs a workaround, only load models from trusted sources, and inspect local snapshots for unexpected \u003ccode\u003e*.py\u003c/code\u003e files as described in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T02:24:22Z","date_published":"2026-05-07T02:24:22Z","id":"/briefs/2026-05-diffusers-rce/","summary":"A remote code execution vulnerability exists in Hugging Face diffusers versions prior to 0.38.0 allowing arbitrary code execution through the `custom_pipeline` flow via a `None.py` file in a Hugging Face Hub repository, bypassing trust checks.","title":"Hugging Face Diffusers Remote Code Execution via None.py","url":"https://feed.craftedsignal.io/briefs/2026-05-diffusers-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Diffusers","version":"https://jsonfeed.org/version/1.1"}