Vancir

**Name of the Vulnerable Software and Affected Versions** Diffusers versions prior to 0.38.0 **Description** A bypass of the `trust remote code` security gate in the `DiffusionPipeline.from pretrained()` function allows arbitrary remote code execution, even when `trust remote code` is set to `False` or left as default. This occurs because the security check was implemented within the `DiffusionPipeline.download()` function rather than at the dynamic-module load site, allowing any code path that bypasses `download()` to execute untrusted code. This manifests in three scenarios: when a `custom pipeline` is loaded from a different repository than the primary model, when a local snapshot is used with a Hub-based `custom pipeline`, or when a local snapshot contains custom component files referenced in `model index.json`. **Recommendations** Update to version 0.38.0. Only use `pretrained model name or path`, `custom pipeline`, and local snapshot directories from fully trusted and audited sources. Avoid using the `custom pipeline` parameter to point to a Hub repository different from the primary `pretrained model name or path` without first auditing the `pipeline.py` file. Inspect local snapshots for unexpected `*.py` files, particularly in the root and component subdirectories, before calling `from pretrained()`.