AI Sec Watch

The Moodle OpenAI Chat Block plugin version 3.0.1 has an IDOR vulnerability (insecure direct object reference, where a user can access resources by directly requesting them without proper permission checks). An authenticated student can bypass validation of the blockId parameter in the plugin's API and impersonate another user's block, such as an administrator's block, allowing them to execute queries with that block's settings, expose sensitive information, and potentially misuse API resources.

CVE-2025-49655 is a vulnerability in Keras (a machine learning framework) versions 3.11.0 through 3.11.2 where deserialization (converting saved data back into usable form) of untrusted data can allow malicious code to run on a user's computer when they load a specially crafted Keras file, even if safe mode is enabled. This vulnerability affects both locally stored and remotely downloaded files.

CVE-2025-62356 is a path traversal vulnerability (a flaw that lets attackers access files outside intended directories) in all versions of Qodo Gen IDE that allows attackers to read any local files on a user's computer, both inside and outside their projects. The vulnerability can be exploited directly or through indirect prompt injection (tricking the AI by hiding malicious instructions in its input).

CVE-2025-62353 is a path traversal vulnerability (a flaw that lets attackers access files outside intended directories) in all versions of Windsurf IDE that allows attackers to read and write any files on a user's computer. The vulnerability can be exploited directly or through indirect prompt injection (tricking the AI by hiding malicious instructions in its input).

The Senate introduced the AI LEAD Act, which would make AI companies legally liable for harms their systems cause, similar to how traditional product liability (the legal responsibility companies have when their products injure people) works for other products. The act would clarify that AI systems count as products subject to liability and would hold companies accountable if they failed to exercise reasonable care in designing the system, providing warnings, or if they sold a defective system. Additionally, China announced new export controls on rare earth metals (elements essential to semiconductors and AI hardware), which could disrupt global AI supply chains if strictly enforced.

LlamaIndex v0.14.5 is a release that fixes multiple bugs and adds new features across its ecosystem of AI/LLM tools. Changes include fixing duplicate node positions in documents, improving streaming functionality with AI providers like Anthropic and OpenAI, adding support for new AI models, and enhancing vector storage (database systems that store AI embeddings, which are numerical representations of text meaning) capabilities. The release also introduces new integrations, such as Sglang LLM support and SignNow MCP (model context protocol, a standard for connecting AI tools) tools.

ATLAS Data v5.0.0 introduces a new "Technique Maturity" field that categorizes AI attack techniques based on evidence level, ranging from feasible (proven in research) to realized (used in actual attacks). The release adds 11 new techniques covering AI agent attacks like context poisoning (injecting false information into an AI system's memory), credential theft from AI configurations, and prompt injection (tricking an AI by hiding malicious instructions in its input), plus updates to existing techniques and case studies.

A prompt injection vulnerability (tricking an AI by hiding instructions in its input) exists in Windsurf version 1.10.7 when using Write mode with the SWE-1 model. An attacker can create a specially crafted file name that gets added to the user's prompt, causing Windsurf to follow malicious instructions instead of the user's intended commands. The vulnerability has a CVSS score (a 0-10 rating of how severe a vulnerability is) of 4.6, classified as medium severity.

This research presents LipVor, an algorithm that mathematically verifies whether a trained neural network (a computer model with interconnected nodes that learns patterns) follows partial monotonicity constraints, which means outputs change predictably with certain inputs. The method works by testing the network at specific points and using mathematical properties to guarantee the network behaves correctly across its entire domain, potentially allowing neural networks to be used in critical applications like credit scoring where trustworthiness and predictable behavior are required.