AI Sec Watch

NVIDIA Triton Inference Server for Windows and Linux has a vulnerability in its Python backend that allows attackers to execute arbitrary code remotely by manipulating the model name parameter in model control APIs (functions that manage AI models). This vulnerability could lead to remote code execution (RCE, where an attacker runs commands on a system they don't own), denial of service (making the system unavailable), information disclosure (exposing sensitive data), and data tampering (modifying stored information).

NVIDIA Triton Inference Server has a vulnerability in its DALI backend (a component that processes data) where improper input validation (the failure to check if data is safe before using it) allows attackers to execute code on the system. The issue is classified as CWE-20, a common weakness type related to input validation problems.

picklescan is a tool that checks if pickle files (a Python format for storing objects) are safe before loading them, but versions up to 0.0.30 have a vulnerability where attackers can bypass these safety checks by giving a malicious pickle file a PyTorch-related file extension. When the tool incorrectly marks this file as safe and it gets loaded, the attacker's malicious code can run on the system.

This research addresses how to make reinforcement learning (RL, where AI systems learn to make decisions by trial and error) safer for healthcare by proposing a method called Constraint Transformer that learns safety rules from historical medical records instead of requiring real-time interaction. The system uses a causal attention mechanism (a technique that identifies which past events matter most) and a generative world model (a simulation tool) to identify unsafe treatment decisions and improve patient outcomes while reducing harmful behaviors.

n8n, an open source workflow automation platform, has a stored XSS vulnerability (cross-site scripting, where malicious code is saved and runs in users' browsers) in versions 1.24.0 through 1.106.x. An authorized user can inject harmful JavaScript into the initialMessages field of the LangChain Chat Trigger node, and if public access is enabled, this code runs in the browsers of anyone visiting the public chat link, potentially allowing attackers to steal cookies or sensitive data through phishing.

A ReDoS vulnerability (regular expression denial of service, where specially crafted input causes a program's pattern-matching code to consume excessive CPU) was found in the Hugging Face Transformers library's number normalization feature. An attacker could send text with long digit sequences to crash or slow down text-to-speech and number processing tasks. The vulnerability affects versions up to 4.52.4.

Langchaingo, a library for working with language models, uses jinja2 syntax (a templating language) to parse prompts, but the underlying gonja library it relies on supports file-reading commands like 'include' and 'extends'. This creates a server-side template injection vulnerability (SSTI, where an attacker tricks a server into executing unintended code by injecting malicious template syntax), allowing attackers to insert malicious statements into prompts to read sensitive files like /etc/passwd.

Flowise, a tool for building custom AI workflows through a visual interface, has a critical security flaw in versions 3.0.5 and earlier where the password reset endpoint leaks sensitive information like reset tokens without requiring authentication. This allows attackers to take over any user account by generating a fake reset token and changing the user's password.

A ReDoS vulnerability (regular expression denial of service, where specially crafted input causes a program to use excessive CPU by making regex matching extremely slow) was found in Hugging Face Transformers library version 4.52.4, specifically in the MarianTokenizer's `remove_language_code()` method. The bug is triggered by malformed language code patterns that force inefficient regex processing, potentially crashing or freezing the system.