AI Sec Watch

This research addresses how to remove unwanted information from pre-trained vision models (AI systems trained to understand images) when users or model owners request it, especially when these deletion requests come one after another over time. The researchers propose Group Sparse LoRA (GS-LoRA), a technique that uses Low-Rank Adaptation modules (efficient add-on components that modify specific neural network layers) to selectively forget targeted classes or information while keeping the rest of the model working well, even when some training data is missing.

Cursor is a code editor designed for programming with AI. Before version 2.3, when the Cursor Agent runs in Auto-Run Mode with Allowlist mode enabled (a security setting that restricts which commands can run), attackers could bypass this protection by using prompt injection (tricking the AI by hiding instructions in its input) to execute shell built-ins (basic operating system commands) and modify environment variables (settings that affect how programs behave). This vulnerability allows attackers to compromise the shell environment without user approval.

Deep learning models used for MRI reconstruction (creating medical images from incomplete data) can fail when faced with unexpected situations like noise, different imaging settings, or unseen medical conditions. This paper proposes RODIO, a method that uses diffusion models (AI systems that gradually refine noisy data into clear images) as "purifiers" to make MRI reconstruction systems more reliable, and shows it works better than existing robustification techniques like adversarial training (deliberately exposing models to bad inputs during training to make them stronger).

Split Learning (SL) is a distributed learning framework designed to preserve privacy while reducing computational load, but researchers discovered a new attack called SLeak that allows a server adversary to steal client data and models. The attack works by exploiting information in the smashed data (intermediate data passed between clients and server) and server model to build a substitute client that mimics the target client's behavior, without needing strong privacy assumptions or much auxiliary data. The study shows SLeak is more effective than previous attacks across different datasets and scenarios.

A vulnerability in the Google Gemini connector allows an authenticated attacker with connector-creation privileges to read arbitrary files on the server by sending a specially crafted JSON configuration. The flaw combines two weaknesses: improper control over file paths (CWE-73, where user input is used unsafely to access files) and server-side request forgery (SSRF, where a server is tricked into making unintended network requests). The server fails to validate the configuration before processing it, enabling both unauthorized file access and arbitrary network requests.

Enclave is a JavaScript sandbox (a restricted environment for running untrusted code safely) designed to isolate AI agent code execution. Before version 2.7.0, it had a critical vulnerability where attackers could escape the sandbox by triggering an error, climbing the prototype chain (the sequence of objects that inherit properties from each other) to reach the host Function constructor, and then executing arbitrary code on the underlying Node.js system with access to sensitive data like environment variables and files.

Agentic browsers (web browsers with embedded AI agents) lack proper isolation mechanisms, allowing attackers to exploit them in ways similar to cross-site scripting (XSS, where malicious code runs on websites you visit) and cross-site request forgery (CSRF, where attackers trick your browser into making unwanted requests). Because AI agents have access to the same sensitive data that users trust browsers with, like bank accounts and passwords, inadequate isolation between the AI agent and websites creates old security vulnerabilities that the web community thought it had solved decades ago.

Ollama versions 0.11.5-rc0 through 0.13.5 have a null pointer dereference vulnerability (a crash caused by the software trying to use a memory address that doesn't exist) in their image processing code. An attacker can send specially crafted fake image data to the /api/chat endpoint (the interface for chat requests), which causes the application to crash and become unavailable until manually restarted, affecting all users.

LangChain versions up to 0.3.1 have a ReDoS vulnerability (a type of bug where a poorly written pattern-matching rule can be tricked into consuming huge amounts of CPU time) in a parser that extracts tool actions from AI model output. An attacker can exploit this by injecting malicious text, either directly or through prompt injection (tricking an AI by hiding instructions in its input), causing the parser to slow down dramatically or stop working entirely.