AI Sec Watch

CVE-2025-64320 is a code injection vulnerability in Salesforce Agentforce Vibes Extension that occurs because the software doesn't properly filter user input before sending it to an LLM (large language model), allowing attackers to inject malicious code. The vulnerability affects versions before 3.2.0 of the extension.

CVE-2025-10875 is a vulnerability in Salesforce Mulesoft Anypoint Code Builder that allows improper neutralization of input used for LLM prompting (a technique where attackers manipulate AI system instructions through user input), leading to code injection (inserting malicious code into a system). This vulnerability affects versions of the software before 1.11.6.

CVE-2025-12695 is a vulnerability in DSPy (a framework for building AI agents) where an overly permissive sandbox configuration (a restricted environment meant to limit what code can do) allows attackers to steal sensitive files when users build an AI agent that takes user input and uses the PythonInterpreter class (a tool that runs Python code). The vulnerability stems from improper isolation, meaning the sandbox doesn't adequately separate the untrusted code from the rest of the system.

A WordPress plugin called 'Ai Auto Tool Content Writing Assistant' (versions 2.0.7 to 2.2.6) has a security flaw where it doesn't properly check user permissions before allowing the save_post_data() function (a feature that stores post information) to run. This means even low-level users (Subscriber level and above) can create and publish posts they shouldn't be able to, allowing unauthorized modification of website content.

LlamaIndex released version 0.14.7 and several component updates that add new features and fix bugs across the platform. Key updates include integrations with tool-calling features for multiple AI models (Anthropic, Mistral, Ollama), new support for GitHub App authentication, and fixes for failing tests and documentation issues. These changes improve how LlamaIndex connects to different AI services and external tools.

Keras, a machine learning library, has a vulnerability in its keras.utils.get_file function when extracting tar archives (compressed file collections). An attacker can create a malicious tar file with special symlinks (shortcuts to files) that, when extracted, writes files anywhere on the system instead of just the intended folder, giving them unauthorized access to overwrite important system files.

This article presents MaxDiv, a technique for machine unlearning, which is the process of removing specific knowledge from an AI model after training to protect privacy, even when the original training data is no longer available. MaxDiv works by creating special synthetic data samples that have opposite characteristics to the data being forgotten, and it uses knowledge distillation (a technique where a model learns to replicate another model's behavior) to ensure important information isn't accidentally lost during the unlearning process.

LiteLLM, a tool that helps developers use different AI models through one interface, has a vulnerability where the health endpoint (a checking tool that monitors system status) improperly exposes API_KEY information (secret credentials used to authenticate requests) to attackers who are already authenticated. An attacker with access could steal these stored credentials and use them to compromise the system further.

MLflow Tracking Server contains a directory traversal (a vulnerability where an attacker uses special path characters like '../' to access files outside the intended directory) vulnerability that allows unauthenticated attackers to execute arbitrary code on the server. The flaw stems from insufficient validation of file paths when handling model creation, letting attackers run commands with the privileges of the service account running MLflow.