The diffusers library for pretrained diffusion models has a code injection vulnerability (CWE-94) in versions before 0.38.0. The _resolve_custom_pipeline_and_cls function uses string interpolation on the custom_pipeline parameter, which defaults to None and becomes "None.py". If an attacker publishes a repository with a malicious None.py file defining a DiffusionPipeline subclass, it is automatically loaded and executed when a user calls DiffusionPipeline.from_pretrained() without specifying custom_pipeline or trust_remote_code=True. The trust_remote_code check is bypassed because it only evaluates if custom_pipeline is not None, which is False when the parameter is omitted, but the downstream code still loads the None.py file. This leads to remote code execution. The vulnerability is resolved in diffusers version 0.38.0.

An attacker can achieve remote arbitrary code execution on a victim's system by publishing a malicious model repository containing a None.py file with a DiffusionPipeline subclass. When a victim loads this repository using DiffusionPipeline.from_pretrained() without the trust_remote_code=True flag, the malicious code executes silently. This can lead to full compromise of the affected system. The CVSS v3.1 score is 8.8 (high), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and high confidentiality, integrity, and availability impacts.

Upgrade the diffusers library to version 0.38.0 or later, where this vulnerability is fixed. Until upgrading, users should explicitly set trust_remote_code=True only when they trust the source of the model repository. Avoid loading pipelines from untrusted or unknown Hugging Face Hub repositories without this safeguard. Patch status is not explicitly stated in the vendor advisory, but the fix is included in version 0.38.0.