AI Sec Watch

CVE-2025-66959 is a vulnerability in ollama v.0.12.10 that allows a remote attacker to cause a denial of service (making a service unavailable by overwhelming it) through the GGUF decoder (the part of the software that reads GGUF format files). The vulnerability stems from improper input validation and uncontrolled resource consumption in how the decoder processes data.

The article argues that stronger copyright laws, often promoted as protecting creators from big tech, actually concentrate power among large corporations and create barriers that prevent competition and innovation. In the AI context specifically, requiring developers to license training data would be so expensive that only the largest companies could afford to build AI models, reducing competition and ultimately harming consumers through higher costs and worse services.

SQLBot is a data query system that uses a large language model and RAG (retrieval-augmented generation, where an AI pulls in external documents to answer questions) to help users query databases. Versions before 1.5.0 have a missing authentication vulnerability in a file upload endpoint that allows attackers without login credentials to upload Excel or CSV files and insert data directly into the database, because the endpoint was added to a whitelist that skips security checks.

LlamaIndex version 0.14.13 is a release that includes multiple updates across its core library and integrations, featuring new capabilities like early stopping in agent workflows, token-based code splitting, and distributed data ingestion via RayIngestionPipeline. The release also includes several bug fixes, such as correcting error handling in aggregation functions and fixing async integration issues, plus security improvements that removed exposed API keys from notebook outputs.

This research analyzes how discussions about Generative AI spread across different industries (like media, healthcare, and finance) in the six months after ChatGPT's release, using social media data and innovation theory. The study found that different industries had different concerns: media and marketing focused on content generation with positive views, while healthcare and finance were more cautious and focused on analysis. Misinformation was the biggest concern overall, and the research showed that emotional reactions (sentiment) were the main factor driving how quickly information about AI spread between people.

Generative artificial intelligence (GAI, AI systems that create new text, images, or code) is significantly changing how information systems are taught in universities. IS educators are discussing both the benefits and risks of GAI, including concerns about academic integrity (students using AI to cheat), and they are developing recommendations for how to responsibly teach with and about GAI in the classroom.

NVIDIA Merlin Transformers4Rec contains a code injection vulnerability (CWE-94, a weakness where attackers can trick software into running malicious code) that could let attackers execute arbitrary code, gain elevated permissions, steal information, or modify data. The vulnerability affects all platforms running this software. A CVSS severity score has not yet been assigned by NIST.

This research paper analyzes how companies that invest in digital technologies, including AI, affect their greenhouse gas emissions and natural resource use. The study found that companies investing in these technologies tend to reduce their emissions and consume fewer natural resources, suggesting that digital tools can help address environmental challenges.

ChatterBot versions up to 1.2.10 have a vulnerability that causes denial-of-service (when a service becomes unavailable due to being overwhelmed), triggered when multiple concurrent calls to the get_response() method exhaust the SQLAlchemy connection pool (a group of reusable database connections). The service becomes unavailable and requires manual restart to recover.