AI Sec Watch

CVE-2025-48943 is a Denial of Service vulnerability (a type of attack that crashes a system) in vLLM versions 0.8.0 through 0.8.x that causes the server to crash when given an invalid regex (a pattern used to match text). This happens specifically when using the structured output feature, which lets the AI format responses in a specific way.

vLLM (an inference and serving engine for large language models) versions 0.8.0 through 0.8.x have a vulnerability where sending an invalid JSON schema as a parameter to the /v1/completions API endpoint causes the server to crash. This happens because the application doesn't properly handle (catch) exceptions that occur when processing malformed input.

vLLM, a software system that runs and serves large language models, has a vulnerability in how it parses tool commands that can be exploited to crash or slow down the service. The problem comes from using an overly complex pattern-matching rule (regular expression with nested quantifiers, optional groups, and inner repetitions) that can cause the system to get stuck processing certain inputs, leading to severe performance problems.

Gradio is an open-source Python package for building machine learning demos and web applications. Before version 5.31.0, a vulnerability in its flagging feature let unauthenticated attackers copy any readable file from the server's filesystem, which could cause DoS (denial of service, where a system becomes unavailable) by copying massive files to fill up disk space, though attackers couldn't actually read the copied files.

CVE-2025-48491 is a vulnerability in Project AI, a platform for creating AI agents, where a hardcoded API key (a secret credential stored directly in the code rather than kept separate) was exposed in versions before the pre-beta release. This means attackers could potentially find and misuse this key to access the system without proper authorization.

vLLM (a system for running large language models) versions 0.7.0 through 0.8.x have a bug in how they create hash values (fingerprints) for images. The hashing method only looks at the raw pixel data and ignores important image properties like width and height, so two different-sized images with the same pixels would create identical hash values. This can cause the system to incorrectly reuse cached results or expose data it shouldn't.

vLLM, an inference and serving engine for large language models, had a vulnerability in versions before 0.9.0 where timing differences in the PageAttention mechanism (a feature that speeds up processing by reusing matching text chunks) were large enough that attackers could detect and exploit them. This type of attack is called a timing side-channel attack, where an attacker learns information by measuring how long operations take.

A vulnerability (CVE-2025-5320) was found in Gradio, a web framework for building AI demos, affecting versions up to 5.29.1. An attacker could manipulate the localhost_aliases parameter in the CORS Handler (the component that controls which websites can access the application) to gain elevated privileges, though executing this attack is difficult and requires remote access.

This article collection discusses security challenges in AI and cloud systems, particularly focusing on agentic AI (AI systems that can take autonomous actions). Key risks include jailbreaks (tricking AI systems into ignoring safety rules), prompt injection (hidden malicious instructions in AI inputs), and tool misuse by autonomous agents, which require contextual red teaming (security testing designed for specific use cases) rather than generic testing to identify real vulnerabilities.