AI Sec Watch

LiteLLM had a security flaw where JWT authentication (a method to verify user identity using encoded tokens) could be bypassed through a cache key collision. When JWT authentication was enabled, the system only used the first 20 characters of a token as a cache key, and since different tokens from the same signing algorithm could have identical first 20 characters, an attacker could create a fake token matching a legitimate user's cached token and gain their permissions. The flaw only affects deployments with JWT/OIDC authentication explicitly enabled, which is not the default configuration.

LiteLLM had a security flaw where an authenticated user could access a configuration endpoint (`/config/update`) without needing admin permissions, allowing them to modify settings, run malicious code, read files, or take over admin accounts. The vulnerability affected any user who already had login access to the system.

Mesop, a web framework, has a vulnerability in its WebSocket (a protocol for real-time two-way communication between client and server) handler where it creates a new operating system thread for every incoming message without any limits. An attacker can send thousands of messages rapidly, exhausting the server's thread capacity and causing an Out of Memory error that crashes the application for all users.

vLLM's `VideoMediaIO.load_base64()` method has a vulnerability where it processes `video/jpeg` data URLs (a vLLM-specific format for sending multiple JPEG frames) without limiting how many frames can be included. An attacker can send thousands of comma-separated base64-encoded JPEG frames in a single API request, causing the server to decode all of them into memory at once and crash due to running out of memory (OOM, or out-of-memory error).

vLLM (a language model serving framework) has a Server-Side Request Forgery vulnerability (SSRF, where an attacker tricks a server into making requests to unintended targets) in its batch processing feature. An attacker who can submit batch input JSON can make the vLLM server send arbitrary HTTP requests to any URL, including internal services like cloud metadata endpoints, because the `download_bytes_from_url` function has no restrictions on which domains or IP addresses it will contact.

Meta and other AI labs paused work with Mercor, a company that hires contractors to generate training data for AI models, after a security breach exposed proprietary datasets that could reveal competitive secrets to rivals. The breach occurred through a compromised version of LiteLLM (an API tool, which is software that allows different programs to communicate), likely by a hacking group called TeamPCP, affecting thousands of organizations and potentially exposing hundreds of gigabytes of Mercor's confidential data.

LlamaIndex version 0.14.20 includes multiple updates across its callback and core modules, with a primary focus on fixing a vulnerability in NLTK (a natural language processing library that helps AI systems understand and work with human language). The release also updates various dependencies and fixes minor bugs in code formatting and syntax.

A threat group called UAT-10608 is exploiting React2Shell (CVE-2025-55182, a pre-authentication remote code execution vulnerability in Next.js applications), a flaw that was patched four months ago, to steal credentials and tokens from unpatched servers at scale. Researchers discovered the attackers' exposed web dashboard, which revealed they had successfully compromised 766 hosts in 24 hours and stolen credentials from major services like AWS, Azure, OpenAI, GitHub, and others. The vulnerability allows attackers to send malicious code payloads to server endpoints without authentication, triggering arbitrary code execution that deploys credential-harvesting tools.

MLflow (an open-source machine learning platform) has a vulnerability where certain API endpoints under `/ajax-api/3.0/jobs/*` skip authentication checks (verification of who you are) even when basic-auth protection is enabled. If job execution is turned on, attackers can submit, run, read, and cancel jobs without logging in, potentially leading to remote code execution (running malicious commands on the server) or causing denial of service attacks (making the system unavailable).