AI Sec Watch

Langroid, a Python framework for building AI applications, has a vulnerability in versions before 0.53.15 where the `LanceDocChatAgent` component uses pandas eval() (a function that executes Python code stored in strings) in an unsafe way, allowing attackers to run malicious commands on the host system. The vulnerability exists in the `compute_from_docs()` function, which processes user queries without proper protection.

Langroid, a Python framework for building LLM-powered applications, had a code injection vulnerability (CWE-94, a flaw where untrusted input can be executed as code) in its `TableChatAgent` component before version 0.53.15 because it used `pandas eval()` without proper safeguards. This could allow attackers to run arbitrary code if the application accepted untrusted user input.

The Trump Administration cancelled the Biden-era AI Diffusion Rule, which had regulated exports of AI chips and AI models (software trained to perform tasks) to different countries. At the same time, the administration approved major sales of advanced AI chips to the UAE and Saudi Arabia, with deals including up to 500,000 chips per year to the UAE and 18,000 advanced chips to Saudi Arabia.

ChatGPT through March 30, 2025, renders SVG documents (scalable vector graphics, a type of image format) directly in web browsers instead of displaying them as plain text, which allows attackers to inject HTML (the code that structures web pages) and potentially trick users through phishing attacks.

A vulnerability in the `preprocess_string()` function of the huggingface/transformers library (version v4.48.3) allows a ReDoS attack (regular expression denial of service, where a poorly written pattern causes the computer to do exponential amounts of work). An attacker can send specially crafted input with many newline characters that makes the function use excessive CPU, potentially crashing the application.

CVE-2025-1975 is a vulnerability in Ollama server version 0.5.11 that allows an attacker to crash the server through a Denial of Service attack by sending specially crafted requests to the /api/pull endpoint (the function that downloads AI models). The vulnerability stems from improper validation of array index access (CWE-129, which means the program doesn't properly check if it's trying to access memory locations that don't exist), which happens when a malicious user customizes manifest content and spoofs a service.

CVE-2025-4701 is a vulnerability in VITA-MLLM Freeze-Omni (versions up to 20250421) where improper input validation in the torch.load function of models/utils.py allows deserialization (converting data back into executable code) of untrusted data through a manipulated file path argument. This vulnerability has a CVSS score (a 0-10 rating of how severe a vulnerability is) of 4.8 (medium severity) and can be exploited locally by users with basic privileges.

The article argues that using multiple specialized AI security models (each designed to detect specific threats like prompt injection, toxicity, or PII detection) is more effective than using a single large model for all security tasks. Specialized models offer advantages including faster response times to new threats, easier management, better performance, lower costs, and greater resilience because if one model fails, the others can still provide protection.

OpenAI announced a restructured plan in May 2025 that aims to preserve nonprofit control over the company's for-profit operations, replacing a December 2024 proposal that had faced criticism. The new plan would convert OpenAI Global LLC into a public-benefit corporation (PBC, a corporate structure designed to balance profit with charitable purpose) where the nonprofit would retain shareholder status and board appointment power, though critics argue this may not preserve the governance safeguards that existed in the original structure.