VYPR
← All advisories
Critical severityNVD Advisory· Published Jan 9, 2026· Updated Jan 12, 2026

CVE-2026-22584

CVE-2026-22584

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Salesforce Uni2TS on MacOS, Windows, Linux allows Leverage Executable Code in Non-Executable Files.This issue affects Uni2TS: through 1.2.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2026-22584 describes a code injection vulnerability in Salesforce Uni2TS up to version 1.2.0 that allows leveraging executable code in non-executable files.

Vulnerability

Overview

The vulnerability CVE-2026-22584 is a code injection issue in Salesforce Uni2TS, a PyTorch library for time series forecasting [1]. The official description indicates improper control of code generation, allowing an attacker to leverage executable code within non-executable files [2]. This affects versions up to 1.2.0 on Windows, macOS, and Linux platforms.

Attack

Vector

A commit addressing the issue shows that several function signatures were missing trailing commas, which in Python can affect how tuples and function arguments are parsed [3]. The fix adds missing commas in multiple locations across the codebase, including functions like packed_attention_mask, fixed_size, build_dataset, domain_map, _total_count, and _logits, as well as import statements [3]. While the exact attack vector is not fully detailed in public sources, these changes suggest that malformed or specially crafted inputs could have been used to inject malicious code through improperly parsed function arguments or data structures.

Impact

Successful exploitation could allow an attacker to execute arbitrary code by manipulating input data that the Uni2TS library processes [2]. Given that Uni2TS is used for training and inference with time series models, an attacker could potentially compromise model integrity, steal data, or gain unauthorized access to the host system.

Mitigation

The vulnerability was patched in commit 7f2d51dd729de018f0f22504f39a8475c6fed1c4 and pull request #218 [3][4]. Users should update Uni2TS to a version newer than 1.2.0 or apply the fix manually. No workarounds have been publicly documented as of the publication date.

References
  1. GitHub - SalesforceAIResearch/uni2ts: Unified Training of Universal Time Series Forecasting Transformers
  2. NVD - CVE-2026-22584
  3. Fix vulnerability issue (#218) · SalesforceAIResearch/uni2ts@7f2d51d
  4. Fix vulnerability issue by liu-jc · Pull Request #218 · SalesforceAIResearch/uni2ts

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
uni2tsPyPI
< 2.0.02.0.0

Affected products

2

Patches

1
7f2d51dd729d

Fix vulnerability issue (#218)

https://github.com/SalesforceAIResearch/uni2tsJuncheng LiuJul 31, 2025via ghsa
commit
6 files changed · +50 10
  • src/uni2ts/common/torch_util.py+2 2 modified
    @@ -35,7 +35,7 @@
 
 
 def packed_attention_mask(
-    sample_id: Int[torch.Tensor, "*batch seq_len"]
+    sample_id: Int[torch.Tensor, "*batch seq_len"],
 ) -> Bool[torch.Tensor, "*batch seq_len seq_len"]:
     sample_id = sample_id.unsqueeze(-1)
     attention_mask = sample_id.eq(sample_id.mT)
@@ -83,7 +83,7 @@ def size_to_mask(
 
 
 def fixed_size(
-    value: Float[torch.Tensor, "*batch max_size"]
+    value: Float[torch.Tensor, "*batch max_size"],
 ) -> Int[torch.Tensor, "*batch"]:
     sizes = torch.ones_like(value[..., 0], dtype=torch.long) * value.shape[-1]
     return sizes
  • src/uni2ts/data/builder/lotsa_v1/cmip6.py+1 1 modified
    @@ -94,7 +94,7 @@ def build_dataset(self, dataset: str, num_proc: int = os.cpu_count()):
         )
 
         def gen_func(
-            jobs: list[tuple[int, int]]
+            jobs: list[tuple[int, int]],
         ) -> Generator[dict[str, Any], None, None]:
             for x, y in jobs:
                 yield dict(
  • src/uni2ts/data/builder/lotsa_v1/era5.py+1 1 modified
    @@ -73,7 +73,7 @@ def build_dataset(self, dataset: str, num_proc: int = os.cpu_count()):
         )
 
         def gen_func(
-            jobs: list[tuple[int, int]]
+            jobs: list[tuple[int, int]],
         ) -> Generator[dict[str, Any], None, None]:
             for x, y in jobs:
                 yield dict(
  • src/uni2ts/distribution/negative_binomial.py+2 2 modified
    @@ -111,12 +111,12 @@ def domain_map(
 
     @staticmethod
     def _total_count(
-        total_count: Float[torch.Tensor, "*batch 1"]
+        total_count: Float[torch.Tensor, "*batch 1"],
     ) -> Float[torch.Tensor, "*batch"]:
         return F.softplus(total_count).squeeze(-1)
 
     @staticmethod
     def _logits(
-        logits: Float[torch.Tensor, "*batch 1"]
+        logits: Float[torch.Tensor, "*batch 1"],
     ) -> Float[torch.Tensor, "*batch"]:
         return logits.squeeze(-1)
  • src/uni2ts/model/moirai/module.py+22 2 modified
    @@ -14,6 +14,7 @@
 #  limitations under the License.
 
 from functools import partial
+from typing import Any, Mapping, Sequence
 
 import torch
 import torch.nn.functional as F
@@ -54,8 +55,27 @@ def _encode(val):
     return _encode(distr_output)
 
 
-def decode_distr_output(config: dict[str, str | float | int]) -> DistributionOutput:
-    """Deserialization function for DistributionOutput"""
+SAFE_MODULE_PREFIXES = [
+    "uni2ts.distribution.",
+]
+
+
+def safe_target_check(obj: Any):
+    if isinstance(obj, Mapping):
+        if "_target_" in obj:
+            target = obj["_target_"]
+            if not any(target.startswith(prefix) for prefix in SAFE_MODULE_PREFIXES):
+                raise ValueError(f"Unsafe _target_ in distr_output config: {target!r}")
+        for v in obj.values():
+            safe_target_check(v)
+
+    elif isinstance(obj, Sequence) and not isinstance(obj, (str, bytes)):
+        for v in obj:
+            safe_target_check(v)
+
+
+def decode_distr_output(config: dict) -> DistributionOutput:
+    safe_target_check(config)
     return instantiate(config, _convert_="all")
  • src/uni2ts/model/moirai_moe/module.py+22 2 modified
    @@ -14,6 +14,7 @@
 #  limitations under the License.
 
 from functools import partial
+from typing import Any, Mapping, Sequence
 
 import torch
 import torch.nn.functional as F
@@ -54,8 +55,27 @@ def _encode(val):
     return _encode(distr_output)
 
 
-def decode_distr_output(config: dict[str, str | float | int]) -> DistributionOutput:
-    """Deserialization function for DistributionOutput"""
+SAFE_MODULE_PREFIXES = [
+    "uni2ts.distribution.",
+]
+
+
+def safe_target_check(obj: Any):
+    if isinstance(obj, Mapping):
+        if "_target_" in obj:
+            target = obj["_target_"]
+            if not any(target.startswith(prefix) for prefix in SAFE_MODULE_PREFIXES):
+                raise ValueError(f"Unsafe _target_ in distr_output config: {target!r}")
+        for v in obj.values():
+            safe_target_check(v)
+
+    elif isinstance(obj, Sequence) and not isinstance(obj, (str, bytes)):
+        for v in obj:
+            safe_target_check(v)
+
+
+def decode_distr_output(config: dict) -> DistributionOutput:
+    safe_target_check(config)
     return instantiate(config, _convert_="all")

Vulnerability mechanics

Root cause

"The application lacked input validation when deserializing configuration objects, allowing arbitrary code execution via the `_target_` field."

Attack vector

An attacker can trigger this vulnerability by providing a malicious configuration object containing a `_target_` key that points to an arbitrary module or function. When `decode_distr_output` processes this configuration, it uses `instantiate` to execute the specified target. This allows the execution of arbitrary code during the deserialization process. [patch_id=31060]

Affected code

The vulnerability exists in `src/uni2ts/model/moirai/module.py` and `src/uni2ts/model/moirai_moe/module.py` within the `decode_distr_output` function. These functions were previously deserializing configurations without validating the target modules, allowing for arbitrary code execution. [patch_id=31060]

What the fix does

The patch introduces a `safe_target_check` function that validates the `_target_` field within configuration dictionaries before they are processed by `instantiate`. This function ensures that only modules starting with the allowed prefix `uni2ts.distribution.` are permitted for execution. By enforcing this whitelist, the application prevents the instantiation of arbitrary, potentially malicious, modules. [patch_id=31060]

Generated on May 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.