AI Sec Watch

A ReDoS vulnerability (regular expression denial of service, where a specially crafted input causes a regex pattern to consume excessive CPU) exists in Hugging Face Transformers library version 4.51.3 and earlier, in a function that converts TensorFlow model weight names to PyTorch format. An attacker can exploit this with malicious input strings to crash services or exhaust system resources.

Devin AI, a tool that acts as an AI software engineer, is vulnerable to prompt injection (tricking an AI by hiding malicious instructions in its input) attacks that can lead to full system compromise. By planting malicious instructions on websites or GitHub issues that Devin reads, attackers can trick it into downloading and running malware, giving them remote control over Devin's DevBox (the sandboxed environment where Devin operates) and access to any stored secrets.

Amp, an AI coding agent by Sourcegraph, had a vulnerability where it could modify its own configuration files to enable arbitrary command execution (running any code on a developer's machine) through two methods: adding bash commands to an allowlist or installing malicious MCP servers (external programs the AI can invoke). This could be exploited by the AI itself or through prompt injection attacks (tricking the AI by hiding malicious instructions in its input).

LibreChat (a ChatGPT-like application) versions 0.0.6 through 0.7.7-rc1 have a vulnerability where an exposed testing endpoint called /api/search/test allows anyone to read chat messages from any user by directly accessing the Meilisearch engine (a search database) without proper permission checks. This is a serious security flaw because it exposes private conversations.

Claude Code is an agentic coding tool (software that can automatically write and execute code). In versions before 1.0.20, a flaw in how the tool parses commands allows attackers to skip the confirmation prompt that normally protects users before running untrusted code. Exploiting this requires the attacker to insert malicious content into Claude Code's input.

Claude Code, an agentic coding tool (software that can write and modify code automatically), has a path validation flaw in versions before 0.2.111 that allows attackers to bypass directory restrictions and access files outside the intended working directory. The vulnerability exploits prefix matching (checking if one string starts with another) instead of properly comparing full file paths, and requires the attacker to create a directory with the same prefix name and inject untrusted content into the tool's context.

Cursor, a code editor designed for AI-assisted programming, has a vulnerability in versions below 1.3.9 where it can write files in a workspace without asking the user for permission. An attacker can exploit this by using prompt injection (tricking the AI by hiding instructions in its input) to create sensitive configuration files like .cursor/mcp.json, potentially gaining RCE (remote code execution, where an attacker can run commands on a system they don't own) on the victim's computer without approval.

Cursor, a code editor designed for AI-assisted programming, has a vulnerability in versions before 1.3.9 where it can write files to a workspace without asking the user for permission. An attacker can exploit this by using prompt injection (tricking the AI by hiding instructions in its input) combined with this flaw to modify editor configuration files and achieve RCE (remote code execution, where an attacker can run commands on a system they don't own) without the user's knowledge.

Differential privacy (DP, a mathematical technique that adds controlled randomness to data to protect individual privacy while keeping data useful) is a widely-used method for protecting sensitive information, but putting it into practice in real-world systems has proven difficult. Researchers analyzed 21 actual deployments of differential privacy by major companies and institutions over the last ten years to understand what works and what doesn't.