AI Sec Watch

CVE-2025-8747 is a safe mode bypass vulnerability in Keras (a machine learning library) versions 3.0.0 through 3.10.0 that allows an attacker to run arbitrary code (execute any commands they want) on a user's computer by tricking them into loading a specially designed `.keras` model file. The vulnerability has a CVSS score (severity rating) of 8.6, indicating it is a high-risk security problem.

Claude Code, a feature in Anthropic's Claude AI, had a high severity vulnerability (CVE-2025-55284) that allowed attackers to use prompt injection (tricking an AI by hiding instructions in its input) to hijack the system and steal sensitive information like API keys by sending DNS requests (network queries that reveal data to external servers). The vulnerability affected developers who reviewed untrusted code or processed external data, as attackers could make Claude Code run bash commands (low-level system commands) without user permission to leak secrets.

The EU Whistleblowing Directive (2019) protects people who report violations of EU law, including violations of the EU AI Act starting August 2, 2026, by requiring organizations to set up reporting channels and prohibiting retaliation against whistleblowers. Whistleblowers can report internally within their organization, to government authorities, or publicly in certain urgent situations, and various institutions offer free legal and technical support to help protect them.

OpenHands, a popular AI agent from All Hands AI that can now run as a cloud service, is vulnerable to prompt injection (tricking an AI by hiding instructions in its input) when processing untrusted data like content from websites. This vulnerability allows attackers to hijack the system and compromise its confidentiality, integrity, and availability, potentially leading to full system compromise.

OpenHands, an AI agent tool created by All-Hands AI, has a vulnerability where it can render images in chat conversations, which attackers can exploit through prompt injection (tricking an AI by hiding instructions in its input) to leak access tokens (security credentials that grant permission to use services) without requiring user interaction. This type of attack has been called the 'Lethal Trifecta' and represents a significant data exfiltration (unauthorized data theft) risk.

This content discusses security challenges in agentic AI (AI systems that can act autonomously and use tools), emphasizing that generic jailbreak testing (attempts to trick AI into ignoring safety guidelines) misses real operational risks like tool misuse and data theft. The articles highlight that enterprises need contextual red teaming (security testing that simulates realistic attack scenarios relevant to how the AI will actually be used) and governance frameworks like identity controls and boundaries to secure autonomous AI systems.

Devin AI has a tool called expose_port that can publish local computer ports to the public internet, intended for testing websites during development. However, attackers can use prompt injection (tricking an AI by hiding instructions in its input) to manipulate Devin into exposing sensitive files and creating backdoor access without human approval, as demonstrated through a multi-stage attack that gradually steers the AI toward malicious actions.

The skops Python library (used for sharing scikit-learn machine learning models) has a security flaw in versions 0.12.0 and earlier where the Card.get_model function can accidentally use joblib (a less secure loading method) instead of skops' safer approach. Joblib allows arbitrary code execution (running any code during model loading), which could let attackers run malicious code if they trick users into loading a specially crafted model file. This bypasses the security checks that skops normally provides.

CVE-2025-53767 is a vulnerability in Azure OpenAI that allows elevation of privilege, which means an attacker could gain higher-level access than they should have. The vulnerability stems from server-side request forgery (SSRF, a flaw where an attacker tricks a server into making unintended requests on their behalf). The CVSS severity score and detailed impact information have not yet been assessed by NIST.