AI Sec Watch

Applio, a voice conversion tool, has a vulnerability in versions 3.2.8-bugfix and earlier where it unsafely deserializes (reconstructs objects from stored data without validation) user-supplied model files using `torch.load`, which could allow attackers to run arbitrary code on the affected system.

Applio, a voice conversion tool, has a vulnerability in versions 3.2.8-bugfix and earlier where it unsafely deserializes (converts untrusted data back into objects) user-supplied model files using `torch.load`, potentially allowing attackers to run arbitrary code on affected systems.

CVE-2025-29783 is a remote code execution vulnerability in vLLM (a software engine for running large language models efficiently) that occurs when it is configured with Mooncake, a distributed system component. Attackers can exploit unsafe deserialization (the process of converting stored data back into usable objects) exposed over ZMQ/TCP (network communication protocols) to run arbitrary code on any connected systems in a distributed setup.

vLLM, a system for running large language models efficiently, uses the outlines library to support structured output (guidance on what format the AI's answer should follow). The outlines library stores compiled grammar rules in a cache on the hard drive, which is turned on by default. A malicious user can send many requests with different output formats, filling up this cache and causing the system to run out of disk space, making it unavailable to others (a denial of service attack). This problem affects only the V0 engine version of vLLM.

SmartOS, a hypervisor (virtualization software that manages virtual machines) used in Triton Data Center and other products, contains static host SSH keys (unchanging cryptographic credentials for remote access) in a specific Debian 12 LX zone image from July 2024. This means multiple systems could potentially share the same SSH keys, allowing unauthorized remote access if someone obtains these keys.

Researchers have discovered advanced data smuggling techniques using invisible Unicode characters (invisible text that computers can process but humans cannot see) to hide information in LLM inputs and outputs. The technique, called Sneaky Bits, can encode any character or sequence of bytes using only two invisible characters, building on earlier methods that used Unicode Tags and Variant Selectors to inject hidden instructions into AI systems.

Keras, a machine learning library, has a vulnerability in its Model.load_model function that allows attackers to run arbitrary code (code injection, where an attacker makes a program execute unintended commands) even when safety features are enabled. An attacker can create a malicious .keras file (a special archive format) and modify its config.json file to specify malicious Python code that runs when the model is loaded.

A vulnerability (CVE-2025-2149) was found in PyTorch 2.6.0+cu124 in the Quantized Sigmoid Module's nnq_Sigmoid function, where improper initialization (failing to set up values correctly) occurs when certain parameters are manipulated. The vulnerability requires local access (attacking from the same machine) and is difficult to exploit, with a low severity rating.

A critical vulnerability (CVE-2025-2148) was found in PyTorch 2.6.0+cu124 in a function called torch.ops.profiler._call_end_callbacks_on_jit_fut that handles tuples (groups of related data). When the function receives a None argument (a placeholder for "no value"), it causes memory corruption (where data stored in memory gets damaged or overwritten), and the attack can be launched remotely. However, the exploit is difficult to carry out and requires user interaction.