AI Sec Watch

The Trump administration asked OpenAI to delay the full release of GPT-5.6 (a large language model, which is an AI system trained on vast amounts of text) over security concerns. Instead of a public release, OpenAI will first offer the model in limited preview form to only a small group of business customers, with the federal government approving each customer's access individually.

Cursor, a code editor that uses AI to help with programming, had a security flaw in versions before 3.0 where its sandbox protection (a restricted environment that limits what programs can do) could be bypassed. An AI agent could create a symlink (a shortcut that points to a different location) inside the workspace to trick the editor into writing files outside the workspace without user approval, potentially allowing an attacker to run code with full system access.

Cursor is a code editor that uses AI to help with programming. Before version 3.0, Cursor had a security flaw where an AI agent could trick the sandbox (a restricted environment that limits what code can do) into allowing file writes to sensitive locations outside the workspace, potentially letting malicious code run with full user permissions without any protection.

The opentelemetry_sdk library had a vulnerability where it didn't check size limits before processing baggage headers (metadata passed between services in distributed tracing, which is used in observability and monitoring). An attacker could send extremely large headers that would waste CPU and memory while being parsed, even though they'd eventually be rejected, potentially causing a denial-of-service attack (making a service unavailable by overwhelming it with resource requests).

The langgraph-sdk (a Python library for making HTTP requests to LangGraph services) had a vulnerability where it directly inserted user-supplied identifier values into URLs without encoding them. This meant special characters in identifiers could change which resource was accessed, potentially allowing users to access, modify, or delete resources they shouldn't have permission to change, especially in systems that check permissions based on the URL path. The vulnerability only affects applications that pass unvalidated user input directly to SDK methods.

LangGraph's `JsonPlusSerializer` (a tool that converts JSON data back into Python objects) has a vulnerability where checkpoint files (saved states of an AI workflow) stored insecurely could be modified by attackers and cause arbitrary code execution (running attacker-chosen commands) when the checkpoint is loaded. This risk only applies if someone gains unauthorized write access to where checkpoints are stored, but the concern is converting that storage access into full control of the running application.

This academic survey article examines agentic AI in healthcare, which refers to AI systems that can independently plan and execute tasks to accomplish goals. The article discusses both the potential benefits of using such AI systems in medical settings and the technical, ethical, and practical obstacles that need to be addressed. The survey provides an overview of current research directions for developing safer and more effective autonomous AI agents in healthcare applications.

ToolJet is an open-source platform for building internal tools and AI agents. Before version 3.20.178-lts, any authenticated user with a builder role could inject malicious JavaScript code into shared marketplace plugins, allowing them to execute commands on the server with full Node.js access (the ability to run any code the server can run). This malicious code would run whenever anyone on the system used that compromised plugin, compromising the entire ToolJet deployment.

ToolJet, an open-source platform for building internal tools and AI agents, has an SSRF vulnerability (server-side request forgery, where an attacker tricks the server into making unintended HTTP requests) in versions before 3.20.178-lts. The RestAPI data source component only checks hostnames but not the actual IP addresses they resolve to, allowing attackers to use specially crafted domain names like 169.254.169.254.nip.io to reach Azure IMDS (Azure Instance Metadata Service, which stores sensitive cloud credentials) and steal authentication tokens for production systems.