Description
Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trust_remote_code=True safeguard when loading pipelines from Hugging Face Hub repositories. The _resolve_custom_pipeline_and_cls function in pipeline_loading_utils.py performs string interpolation on the custom_pipeline parameter using f"{custom_pipeline}.py". When custom_pipeline is not supplied by the user, it defaults to None, which Python interpolates as the literal string "None.py". If an attacker publishes a Hub repository containing a file named None.py with a class that subclasses DiffusionPipeline, the file is automatically downloaded and executed during a standard DiffusionPipeline.from_pretrained() call with no additional keyword arguments. The trust_remote_code check in DiffusionPipeline.download() is bypassed because it evaluates custom_pipeline is not None as False (since the kwarg was never supplied), while the downstream code path that actually loads the module resolves the None value into a valid filename. An attacker can achieve silent arbitrary code execution by publishing a malicious model repository with a None.py file and a standard-looking model_index.json that references a legitimate pipeline class name, requiring only that a victim calls from_pretrained on the repository. This vulnerability is fixed in 0.38.0.
Published: 2026-05-14
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The diffusers library performs string interpolation on the custom_pipeline parameter, defaulting to the literal string "None.py" when the user does not supply a value. An attacker can publish a repository containing a file named None.py that declares a subclass of DiffusionPipeline. When a downstream user calls DiffusionPipeline.from_pretrained() on the repository, the library automatically downloads and executes that file, bypassing the trust_remote_code safeguard. This flaw is a form of dynamic code injection (CWE-94) and allows an attacker to run arbitrary code with the privileges of the process that performed the loading, compromising confidentiality, integrity, and availability of the host system.

Affected Systems

The vulnerability affects the Hugging Face diffusers library in all releases before 0.38.0, including 0.37.0 and earlier. The issue resides in the _resolve_custom_pipeline_and_cls function within pipeline_loading_utils.py, which resolves the custom_pipeline parameter even when it is implicitly None.

Risk and Exploitability

With a CVSS score of 8.8 the flaw is classified as high severity. An exploit requires only that a user load a model from an untrusted Hub repository; no special conditions or additional credentials are needed. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can achieve silent, arbitrary code execution by simply hosting a malicious model repository containing a None.py file.

Generated by OpenCVE AI on May 14, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the diffusers library to 0.38.0 or later, which removes the automatic loading of None.py files.
  • If an upgrade cannot be performed immediately, refrain from loading pipelines from external Hugging Face Hub repositories or manually inspect repositories for a None.py file before calling from_pretrained().
  • Ensure that trust_remote_code is set to False and do not rely on it as a protection mechanism for code execution from untrusted sources.

Generated by OpenCVE AI on May 14, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j7w6-vpvq-j3gm Diffusers has a `trust_remote_code` bypass via `custom_pipeline` and local custom components
History

Thu, 14 May 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Huggingface
Huggingface diffusers
Vendors & Products Huggingface
Huggingface diffusers

Thu, 14 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trust_remote_code=True safeguard when loading pipelines from Hugging Face Hub repositories. The _resolve_custom_pipeline_and_cls function in pipeline_loading_utils.py performs string interpolation on the custom_pipeline parameter using f"{custom_pipeline}.py". When custom_pipeline is not supplied by the user, it defaults to None, which Python interpolates as the literal string "None.py". If an attacker publishes a Hub repository containing a file named None.py with a class that subclasses DiffusionPipeline, the file is automatically downloaded and executed during a standard DiffusionPipeline.from_pretrained() call with no additional keyword arguments. The trust_remote_code check in DiffusionPipeline.download() is bypassed because it evaluates custom_pipeline is not None as False (since the kwarg was never supplied), while the downstream code path that actually loads the module resolves the None value into a valid filename. An attacker can achieve silent arbitrary code execution by publishing a malicious model repository with a None.py file and a standard-looking model_index.json that references a legitimate pipeline class name, requiring only that a victim calls from_pretrained on the repository. This vulnerability is fixed in 0.38.0.
Title Diffusers: None.py Trust Remote Code Bypass
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Huggingface Diffusers
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T18:03:35.120Z

Reserved: 2026-05-07T21:21:48.351Z

Link: CVE-2026-44827

cve-icon Vulnrichment

Updated: 2026-05-14T18:00:48.373Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T17:16:23.500

Modified: 2026-05-14T18:30:57.103

Link: CVE-2026-44827

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T18:45:26Z

Weaknesses