AI Sec Watch

A vulnerability in the `preprocess_string()` function of the huggingface/transformers library (version v4.48.3) allows a ReDoS attack (regular expression denial of service, where a poorly written pattern causes the computer to do exponential amounts of work). An attacker can send specially crafted input with many newline characters that makes the function use excessive CPU, potentially crashing the application.

CVE-2025-1975 is a vulnerability in Ollama server version 0.5.11 that allows an attacker to crash the server through a Denial of Service attack by sending specially crafted requests to the /api/pull endpoint (the function that downloads AI models). The vulnerability stems from improper validation of array index access (CWE-129, which means the program doesn't properly check if it's trying to access memory locations that don't exist), which happens when a malicious user customizes manifest content and spoofs a service.

CVE-2025-4701 is a vulnerability in VITA-MLLM Freeze-Omni (versions up to 20250421) where improper input validation in the torch.load function of models/utils.py allows deserialization (converting data back into executable code) of untrusted data through a manipulated file path argument. This vulnerability has a CVSS score (a 0-10 rating of how severe a vulnerability is) of 4.8 (medium severity) and can be exploited locally by users with basic privileges.

The article argues that using multiple specialized AI security models (each designed to detect specific threats like prompt injection, toxicity, or PII detection) is more effective than using a single large model for all security tasks. Specialized models offer advantages including faster response times to new threats, easier management, better performance, lower costs, and greater resilience because if one model fails, the others can still provide protection.

OpenAI announced a restructured plan in May 2025 that aims to preserve nonprofit control over the company's for-profit operations, replacing a December 2024 proposal that had faced criticism. The new plan would convert OpenAI Global LLC into a public-benefit corporation (PBC, a corporate structure designed to balance profit with charitable purpose) where the nonprofit would retain shareholder status and board appointment power, though critics argue this may not preserve the governance safeguards that existed in the original structure.

CVE-2025-0649 is a bug in Google's TensorFlow Serving (a tool that runs machine learning models as a service) versions up to 2.18.0 where incorrect handling of JSON input can cause unbounded recursion (a program calling itself repeatedly without stopping), leading to server crashes. This vulnerability has a CVSS score (a 0-10 rating of how severe a vulnerability is) of 8.9, indicating high severity. The issue relates to out-of-bounds writes (writing data to unintended memory locations) and stack-based buffer overflow (overflowing a memory region meant for temporary data).

CVE-2025-30165 is a vulnerability in vLLM (a system for running large language models) that affects multi-node deployments using the V0 engine. The vulnerability exists because vLLM deserializes (converts from storage format back into usable data) incoming network messages using pickle, an unsafe method that allows attackers to execute arbitrary code on secondary hosts. This could let an attacker compromise an entire vLLM deployment if they control the primary host or use network-level attacks like ARP cache poisoning (redirecting network traffic to a malicious server).

CVE-2025-25014 is a prototype pollution vulnerability (a type of bug where an attacker modifies the basic template that objects are built from) in Kibana that allows attackers to execute arbitrary code (run commands they shouldn't be able to run) by sending specially crafted HTTP requests (malicious web requests) to machine learning and reporting endpoints. The vulnerability affects multiple versions of Kibana and was identified by Elastic.

The Terraform WinDNS Provider (a tool for managing Windows DNS servers through Terraform, an infrastructure automation tool) had a security flaw before version 1.0.5 where the `windns_record` resource didn't properly validate user input, allowing authenticated command injection (an attack where malicious commands are sneaked into legitimate input to execute unauthorized code in the underlying PowerShell command prompt). This vulnerability only affects users who already have authentication access to the system.