VulnerableCode Package Details - pkg:pypi/diffusers@0.38.0

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-12wz-k3z5-tye3	Diffusers: TOCTOU Trust Remote Code Bypass	CVE-2026-45804 GHSA-7wx4-6vff-v64p
VCID-ft9p-dhcs-8fax	Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trust_remote_code=True safeguard when loading pipelines from Hugging Face Hub repositories. The _resolve_custom_pipeline_and_cls function in pipeline_loading_utils.py performs string interpolation on the custom_pipeline parameter using f"{custom_pipeline}.py". When custom_pipeline is not supplied by the user, it defaults to None, which Python interpolates as the literal string "None.py". If an attacker publishes a Hub repository containing a file named None.py with a class that subclasses DiffusionPipeline, the file is automatically downloaded and executed during a standard DiffusionPipeline.from_pretrained() call with no additional keyword arguments. The trust_remote_code check in DiffusionPipeline.download() is bypassed because it evaluates custom_pipeline is not None as False (since the kwarg was never supplied), while the downstream code path that actually loads the module resolves the None value into a valid filename. An attacker can achieve silent arbitrary code execution by publishing a malicious model repository with a None.py file and a standard-looking model_index.json that references a legitimate pipeline class name, requiring only that a victim calls from_pretrained on the repository. This vulnerability is fixed in 0.38.0.	CVE-2026-44827 GHSA-j7w6-vpvq-j3gm PYSEC-2026-41
VCID-pncd-w333-z3hr	Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trust_remote_code bypass in DiffusionPipeline.from_pretrained allows arbitrary remote code execution despite the user passing trust_remote_code=False (or omitting it, which is the default). The vulnerability has three variants, all sharing the same root cause — the trust_remote_code gate was implemented inside DiffusionPipeline.download() rather than at the actual dynamic-module load site, so any code path that bypassed or short-circuited download() also bypassed the security check. DiffusionPipeline.from_pretrained('repoA', custom_pipeline='attacker/repoB', trust_remote_code=False) — the gate evaluated against repoA's file list rather than repoB's, so repoB's pipeline.py was loaded and executed. DiffusionPipeline.from_pretrained('/local/snapshot', custom_pipeline='attacker/repoB', trust_remote_code=False) — the local-path branch never invoked download(), so the gate was never reached and remote code from repoB executed. DiffusionPipeline.from_pretrained('/local/snapshot', trust_remote_code=False) where the snapshot contains custom component files (e.g. unet/my_unet_model.py) referenced from model_index.json — same root cause; the local path skipped download() and custom component code executed. This vulnerability is fixed in 0.38.0.	CVE-2026-44513 GHSA-98h9-4798-4q5v PYSEC-2026-40

Vulnerability

Summary

Aliases

VCID-12wz-k3z5-tye3

Diffusers: TOCTOU Trust Remote Code Bypass

CVE-2026-45804
GHSA-7wx4-6vff-v64p

VCID-ft9p-dhcs-8fax

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trust_remote_code=True safeguard when loading pipelines from Hugging Face Hub repositories. The _resolve_custom_pipeline_and_cls function in pipeline_loading_utils.py performs string interpolation on the custom_pipeline parameter using f"{custom_pipeline}.py". When custom_pipeline is not supplied by the user, it defaults to None, which Python interpolates as the literal string "None.py". If an attacker publishes a Hub repository containing a file named None.py with a class that subclasses DiffusionPipeline, the file is automatically downloaded and executed during a standard DiffusionPipeline.from_pretrained() call with no additional keyword arguments. The trust_remote_code check in DiffusionPipeline.download() is bypassed because it evaluates custom_pipeline is not None as False (since the kwarg was never supplied), while the downstream code path that actually loads the module resolves the None value into a valid filename. An attacker can achieve silent arbitrary code execution by publishing a malicious model repository with a None.py file and a standard-looking model_index.json that references a legitimate pipeline class name, requiring only that a victim calls from_pretrained on the repository. This vulnerability is fixed in 0.38.0.

CVE-2026-44827
GHSA-j7w6-vpvq-j3gm
PYSEC-2026-41

VCID-pncd-w333-z3hr

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trust_remote_code bypass in DiffusionPipeline.from_pretrained allows arbitrary remote code execution despite the user passing trust_remote_code=False (or omitting it, which is the default). The vulnerability has three variants, all sharing the same root cause — the trust_remote_code gate was implemented inside DiffusionPipeline.download() rather than at the actual dynamic-module load site, so any code path that bypassed or short-circuited download() also bypassed the security check. DiffusionPipeline.from_pretrained('repoA', custom_pipeline='attacker/repoB', trust_remote_code=False) — the gate evaluated against repoA's file list rather than repoB's, so repoB's pipeline.py was loaded and executed. DiffusionPipeline.from_pretrained('/local/snapshot', custom_pipeline='attacker/repoB', trust_remote_code=False) — the local-path branch never invoked download(), so the gate was never reached and remote code from repoB executed. DiffusionPipeline.from_pretrained('/local/snapshot', trust_remote_code=False) where the snapshot contains custom component files (e.g. unet/my_unet_model.py) referenced from model_index.json — same root cause; the local path skipped download() and custom component code executed. This vulnerability is fixed in 0.38.0.

CVE-2026-44513
GHSA-98h9-4798-4q5v
PYSEC-2026-40

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T06:30:03.183451+00:00	GHSA Importer	Fixing	VCID-pncd-w333-z3hr	https://github.com/advisories/GHSA-98h9-4798-4q5v	38.6.0
2026-06-13T06:30:02.209065+00:00	GHSA Importer	Fixing	VCID-ft9p-dhcs-8fax	https://github.com/advisories/GHSA-j7w6-vpvq-j3gm	38.6.0
2026-06-12T22:23:33.824511+00:00	GitLab Importer	Fixing	VCID-pncd-w333-z3hr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/diffusers/CVE-2026-44513.yml	38.6.0
2026-06-12T07:52:05.107142+00:00	GithubOSV Importer	Fixing	VCID-pncd-w333-z3hr	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-98h9-4798-4q5v/GHSA-98h9-4798-4q5v.json	38.6.0
2026-06-12T07:51:53.309469+00:00	GithubOSV Importer	Fixing	VCID-12wz-k3z5-tye3	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-7wx4-6vff-v64p/GHSA-7wx4-6vff-v64p.json	38.6.0
2026-06-12T07:51:46.607398+00:00	GithubOSV Importer	Fixing	VCID-ft9p-dhcs-8fax	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-j7w6-vpvq-j3gm/GHSA-j7w6-vpvq-j3gm.json	38.6.0
2026-06-12T04:22:11.213165+00:00	Pypa Importer	Fixing	VCID-ft9p-dhcs-8fax	https://github.com/pypa/advisory-database/blob/main/vulns/diffusers/PYSEC-2026-41.yaml	38.6.0
2026-06-12T04:22:10.851995+00:00	Pypa Importer	Fixing	VCID-pncd-w333-z3hr	https://github.com/pypa/advisory-database/blob/main/vulns/diffusers/PYSEC-2026-40.yaml	38.6.0
2026-06-11T21:06:25.244571+00:00	PyPI Importer	Fixing	VCID-ft9p-dhcs-8fax	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-06-11T21:06:24.863726+00:00	PyPI Importer	Fixing	VCID-pncd-w333-z3hr	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-06-11T20:38:47.171902+00:00	GHSA Importer	Fixing	VCID-12wz-k3z5-tye3	https://github.com/advisories/GHSA-7wx4-6vff-v64p	38.6.0