AI Sec Watch

CVE-2025-48956 is a Denial of Service vulnerability (a type of attack that makes a service unavailable) in vLLM, an inference and serving engine for large language models. Versions 0.1.0 through 0.10.1.0 are vulnerable to crashing when someone sends an HTTP GET request with an extremely large header, which exhausts the server's memory. This attack requires no authentication, so anyone on the internet can trigger it.

claude-code-router is a tool that directs Claude Code requests to different AI models. The software has a security flaw in its CORS (Cross-Origin Resource Sharing, which controls what websites can access a service) configuration that could allow attackers to steal user API keys (credentials that grant access to services) and sensitive data from untrusted websites.

Windsurf, a code editor based on VS Code with an AI coding agent called Windsurf Cascade, has security vulnerabilities that allow attackers to use prompt injection (tricking an AI by hiding instructions in its input) to steal developer secrets from a user's machine. The vulnerabilities were responsibly reported to Windsurf on May 30, 2025, but the company has not provided updates on fixes despite follow-up inquiries.

Amazon Q Developer for VS Code, a coding tool used by over 1 million people, has a vulnerability where attackers can use invisible Unicode characters (special characters that humans cannot see but the AI can read) to trick the AI into following hidden instructions, potentially stealing sensitive information or running malicious code on a user's computer.

Amazon Q Developer, a popular VS Code extension for coding assistance with over 1 million downloads, is vulnerable to indirect prompt injection (tricking an AI by hiding malicious instructions in its input data). This vulnerability allows an attacker or the AI itself to run arbitrary commands on a developer's computer without permission, similar to a flaw that Microsoft patched in GitHub Copilot.

Volcengine's verl 3.0.0 has a deserialization vulnerability (unsafe loading of data structures from untrusted files) in its model_merger.py script that uses torch.load() with weights_only=False, allowing attackers to execute arbitrary code (run commands without authorization) if a victim loads a malicious model file. An attacker can exploit this by tricking a user into downloading and using a specially crafted .pt file, potentially gaining full control of the victim's system.

Amazon Q Developer, a popular VS Code coding agent with over 1 million downloads, has a high-severity vulnerability where it can leak sensitive information like API keys to external servers through DNS requests (the system that translates website names into IP addresses). Attackers can exploit this behavior using prompt injection (tricking the AI by hiding malicious instructions in its input), especially through untrusted data, because the security relies heavily on how the AI model behaves.

A vulnerability in Amp Code from Sourcegraph allowed attackers to steal sensitive information by using prompt injection (tricking an AI by hiding instructions in its input) through markdown image rendering, which could force the AI to send previous chat data to attacker-controlled websites. This type of vulnerability is common in AI applications and similar to one previously found in GitHub Copilot. The vulnerability has been fixed in Amp Code.

Sourcegraph's Amp coding agent was vulnerable to invisible prompt injection (hidden instructions embedded in text that AI models interpret as commands). Attackers could use invisible Unicode Tag characters to trick the AI into dumping environment variables and exfiltrating secrets through URLs. The vulnerability has been fixed in the latest version.