AI Sec Watch

OpenHands, an AI agent tool created by All-Hands AI, has a vulnerability where it can render images in chat conversations, which attackers can exploit through prompt injection (tricking an AI by hiding instructions in its input) to leak access tokens (security credentials that grant permission to use services) without requiring user interaction. This type of attack has been called the 'Lethal Trifecta' and represents a significant data exfiltration (unauthorized data theft) risk.

This content discusses security challenges in agentic AI (AI systems that can act autonomously and use tools), emphasizing that generic jailbreak testing (attempts to trick AI into ignoring safety guidelines) misses real operational risks like tool misuse and data theft. The articles highlight that enterprises need contextual red teaming (security testing that simulates realistic attack scenarios relevant to how the AI will actually be used) and governance frameworks like identity controls and boundaries to secure autonomous AI systems.

Devin AI has a tool called expose_port that can publish local computer ports to the public internet, intended for testing websites during development. However, attackers can use prompt injection (tricking an AI by hiding instructions in its input) to manipulate Devin into exposing sensitive files and creating backdoor access without human approval, as demonstrated through a multi-stage attack that gradually steers the AI toward malicious actions.

The skops Python library (used for sharing scikit-learn machine learning models) has a security flaw in versions 0.12.0 and earlier where the Card.get_model function can accidentally use joblib (a less secure loading method) instead of skops' safer approach. Joblib allows arbitrary code execution (running any code during model loading), which could let attackers run malicious code if they trick users into loading a specially crafted model file. This bypasses the security checks that skops normally provides.

CVE-2025-53767 is a vulnerability in Azure OpenAI that allows elevation of privilege, which means an attacker could gain higher-level access than they should have. The vulnerability stems from server-side request forgery (SSRF, a flaw where an attacker tricks a server into making unintended requests on their behalf). The CVSS severity score and detailed impact information have not yet been assessed by NIST.

CVE-2025-53787 is an information disclosure vulnerability in Microsoft 365 Copilot BizChat that stems from improper neutralization of special elements used in commands (command injection, where attackers manipulate input to execute unintended commands). The vulnerability allows unauthorized access to sensitive information, though specific attack details are not provided in this source.

CVE-2025-53774 is an information disclosure vulnerability in Microsoft 365 Copilot BizChat caused by improper neutralization of special elements used in commands (command injection, where attackers craft malicious input to execute unintended commands). The vulnerability allows unauthorized access to sensitive information, though the severity rating has not yet been assigned by the National Institute of Standards and Technology.

Ollama v0.1.33 has a vulnerability (CVE-2025-44779) that allows attackers to delete arbitrary files (any files on a system) by sending a specially crafted request to the /api/pull endpoint. The vulnerability stems from improper input validation (the software not properly checking user input for malicious content) and overly permissive file access settings.

Devin AI can be tricked into leaking sensitive information to attackers through multiple methods, including using its Shell tool to run data-stealing commands, using its Browser tool to send secrets to attacker-controlled websites, rendering images from untrusted domains, and posting hidden data to connected services like Slack. These attacks work because Devin has unrestricted internet access and can be manipulated through indirect prompt injection (tricking an AI by hiding malicious instructions in its input), where attackers embed instructions in places like GitHub issues that Devin investigates.