AI Sec Watch

LlamaIndex released version 0.14.4 on September 24, 2025, with updates across multiple packages that integrate with different AI services and databases. Most updates fixed dependency issues with OpenAI libraries, while others added new features like support for Claude Sonnet 4.5 and structured outputs, and fixed bugs in areas like authorization headers and data fetching.

Cursor is a code editor that lets programmers work with AI assistance. In versions 1.7 and below, when using MCP (a system for connecting external tools to AI) with OAuth authentication (a login method), an attacker can trick Cursor into running malicious commands by pretending to be a trusted service, potentially giving them full control of the user's computer.

Cursor, a code editor designed for AI-assisted programming, has a critical vulnerability in versions 1.6 and below that allows remote code execution (RCE, where an attacker runs commands on your computer without permission). An attacker who gains control of the AI chat context (such as through a compromised MCP server, a tool that extends the AI's capabilities) can use prompt injection (tricking the AI by hiding malicious instructions in its input) to make Cursor modify workspace configuration files, bypassing an existing security protection and ultimately executing arbitrary code.

This research paper proposes FedNK-RF, an algorithm for federated learning (a decentralized approach where multiple parties train AI models together while keeping their data private) that handles heterogeneous data (data that differs significantly across different sources). The algorithm uses random features and Nyström approximation (a mathematical technique that reduces computational errors) to improve accuracy while maintaining privacy protection, and the authors prove it achieves optimal performance rates.

Cursor, a code editor designed for programming with AI, has a vulnerability in versions 1.6 and below where Mermaid (a tool for rendering diagrams) can embed images that get displayed in the chat box. An attacker can exploit this through prompt injection (tricking the AI by hiding instructions in its input) to send sensitive information to an attacker-controlled server, or a malicious AI model might trigger this automatically.

Claude Code (an AI tool that writes and runs code automatically) had a security flaw in versions before 1.0.111 where it could execute code from a project before the user confirmed they trusted the project. An attacker could exploit this by tricking a user into opening a malicious project directory.

Federated learning schemes (systems where multiple parties train AI models together while keeping data private) that use two servers for privacy protection were found to leak user data when facing model poisoning attacks (where malicious users deliberately corrupt the learning process). The researchers propose an enhanced framework called PBFL that uses Byzantine-robust aggregation (a method to safely combine data from untrusted sources), normalization checks, similarity measurements, and trapdoor fully homomorphic encryption (a technique for doing calculations on encrypted data without decrypting it) to protect privacy while defending against poisoning attacks.

This research proposes a data aggregation framework (a system for combining data from multiple sources) that evaluates how trustworthy different data sources are using dynamic Bayesian networks (a model that updates trust scores based on changing network behavior over time). The framework combines trust measurement with the minimum spanning tree protocol (an algorithm for efficient data routing) to improve how data centers process large amounts of information, achieving significant reductions in computational, communication, and storage costs.

This research presents a new method for performing topological data analysis (TDA, a technique that finds shape-based patterns in complex data) on encrypted information using homomorphic encryption (HE, a type of encryption that lets computers process data without decrypting it first). The authors adapted a fundamental TDA algorithm called boundary matrix reduction to work with encrypted data, proved it works correctly mathematically, and tested it using the OpenFHE framework to show it functions properly on real encrypted data.