Namespace Reuse Vulnerability Exposes AI Platforms to Remote Code Execution

A newly discovered vulnerability in the AI supply chain—termed Model Namespace Reuse—permits attackers to achieve Remote Code Execution (RCE) across major AI platforms, including Microsoft Azure AI Foundry, Google Vertex AI, and thousands of open-source projects.

By re-registering abandoned or deleted model namespaces on Hugging Face, malicious actors can trick pipelines that fetch models by name into deploying tainted repositories, compromising endpoint environments and granting unauthorized access.

Trusted model names alone are insufficient; organizations must urgently reassess AI security practices

Hugging Face hosts AI models as Git repositories identified by an Author/ModelName namespace. When an author account is deleted or a model’s ownership is transferred, those original namespaces return to an available pool.

Malicious models could result in a range of unintended outcomes, from incorrect diagnoses to ongoing unauthorized access by an attacker on affected systems.