AI Sec Watch

CyberRisk Alliance and OWASP (Open Worldwide Application Security Project, a non-profit focused on improving software security) announced a partnership to advance education in application security (protecting software from attacks) and AI security. The collaboration will involve creating shared content, hosting events, and conducting research initiatives together.

CVE-2025-6855 is a critical vulnerability in Langchain-Chatchat (a tool built on LLMs) up to version 0.3.1 that allows path traversal (accessing files outside the intended directory) through manipulation of a parameter called 'flag' in the /v1/file endpoint. The vulnerability has been publicly disclosed and could potentially be exploited.

CVE-2025-6854 is a path traversal vulnerability (a flaw that lets attackers access files outside intended directories) in Langchain-Chatchat software versions up to 0.3.1, specifically in a file upload endpoint. The vulnerability can be exploited remotely by attackers with login credentials and has already been publicly disclosed.

CVE-2025-6853 is a critical vulnerability in Langchain-Chatchat version 0.3.1 and earlier that allows attackers to exploit a path traversal (a type of attack where an attacker manipulates file paths to access files outside their intended directory) flaw in the upload_temp_docs backend function by manipulating the flag argument. The vulnerability can be exploited remotely by users with basic access permissions, and the exploit details have been publicly disclosed.

Roo Code is an AI tool that can automatically write code, and it stores settings in a `.roo/mcp.json` file that can execute commands. Before version 3.20.3, an attacker who could trick the AI (through prompt injection, a technique where hidden instructions are embedded in user input) into writing malicious commands to this file could run arbitrary code if the user had enabled automatic approval of file changes. This required multiple conditions: the attacker could submit prompts to the agent, the MCP (model context protocol, a system for connecting AI agents to external tools) feature was enabled, and auto-approval of writes was turned on.

Roo Code, an AI agent that writes code automatically, had a vulnerability (CVE-2025-53097) in versions before 3.20.3 where its file search tool ignored settings that should have blocked it from reading files outside the VS Code workspace (the folder a user is working in). An attacker could use prompt injection (tricking the AI by hiding instructions in its input) to make the agent read sensitive files and send that information over the network without user permission, though this attack required the attacker to already control what prompts the agent receives.

LLaMA-Factory, a library for training large language models, has a remote code execution vulnerability (RCE, where attackers can run malicious code on a victim's computer) in versions up to 0.9.3. Attackers can exploit this by uploading a malicious checkpoint file through the web interface, and the victim won't know they've been compromised because the vulnerable code loads files without proper safety checks.

iOS Simulator MCP Server (ios-simulator-mcp) versions before 1.3.3 have a command injection vulnerability (a security flaw where attackers insert shell commands into input that gets executed). The vulnerability exists because the `ui_tap` tool uses Node.js's `exec` function unsafely, allowing an attacker to trick an LLM through prompt injection (feeding hidden instructions to an AI to make it behave differently) to pass shell metacharacters like `;` or `&&` in parameters, which can execute unintended commands on the server's computer.

Anthropic's Slack MCP Server (a tool that lets AI agents interact with Slack) has a vulnerability where it doesn't disable link unfurling, a feature that automatically previews hyperlinks in messages. An attacker can use prompt injection (tricking an AI by hiding instructions in its input) to make an AI agent post a malicious link to Slack, which then leaks sensitive data like API keys to the attacker's server when Slack's systems automatically fetch the preview.