AI Sec Watch

CVE-2025-59272 is a command injection vulnerability (a flaw where an attacker can insert malicious commands into user input that gets executed by the system) in Copilot that allows an unauthorized attacker to disclose information locally. The vulnerability stems from improper handling of special characters in commands, and it has a CVSS 4.0 severity rating (a moderate severity score on a 0-10 scale).

CVE-2025-59252 is a command injection vulnerability (a flaw where an attacker can insert malicious commands into a system by exploiting improper handling of special characters) in Copilot that allows an unauthorized attacker to disclose information over a network. The vulnerability stems from improper neutralization of special elements used in commands. The CVSS severity score (a 0-10 rating of vulnerability severity) has not yet been assigned by NIST.

Mujaz is a system that uses natural language processing (NLP, the field of AI that helps computers understand human language) to automatically clean up and summarize vulnerability descriptions found in public databases. The system was trained on a collection of carefully labeled vulnerability summaries and uses pre-trained language models (AI systems trained on large amounts of text) to create clearer, more consistent descriptions that help developers and organizations understand and patch security issues more effectively.

This paper presents DynMD, a new machine learning model that uses Graph Neural Networks (GNNs, which are AI systems that analyze connected data points and their relationships) to detect malware by analyzing streaming behavioral data (information about what a program does over time). Unlike previous approaches that miss how malware behaviors connect over time, DynMD uses an energy-based method to better understand malware patterns and can detect threats 3.81 to 5.33 times faster than existing systems.

This paper describes a new watermarking technique (a method to embed hidden ownership markers into AI models) that remains stable when models are fine-tuned (adjusted to perform new tasks) across different domains. The researchers propose a system that automatically adjusts synthetic training samples and watermark embedding based on the specific data, using out-of-distribution awareness (detecting when data differs significantly from expected patterns) to keep the watermark robust while maintaining the model's performance on its actual task.

Flowise is a visual tool for building custom LLM (large language model) workflows, but versions before 3.0.8 have a path traversal vulnerability (a security flaw where attackers can access files outside intended directories) in its file read and write tools. Authenticated attackers could exploit this to read and write any files on the system, potentially leading to remote code execution (running malicious commands on the server).

CVE-2025-5009 is a privacy bug in Google's Gemini iOS app where sharing a snippet of a conversation accidentally shared the entire conversation history through a public link instead of just the selected part. This exposed users' full conversation data, including private information they didn't intend to share.

Kilo Code versions up to 4.86.0 contain a vulnerability in the ClineProvider function that allows prompt injection (tricking an AI by hiding instructions in its input) through improper handling of special characters. The vulnerability can be exploited remotely and has already been made public.

A Server-Side Request Forgery (SSRF) vulnerability, a weakness that lets attackers trick a server into making unwanted requests to internal resources, exists in the MediaConnector class of the vLLM project's multimodal feature set. The vulnerability occurs in the load_from_url and load_from_url_async methods, which fetch media from user-provided URLs without properly checking which hosts are allowed, potentially allowing attackers to access internal network resources through the vLLM server.