All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
vLLM (a system for running large language models) versions 0.10.2 through 0.12.x lack proper validation of sparse tensors (data structures with mostly empty values) when processing multimodal embeddings (numerical representations combining text and images). An attacker can send malicious embedding requests with invalid tensor indices to crash the system, exhaust resources, or potentially corrupt memory if the prompt-embeds feature is enabled.
vLLM versions 0.6.3 through 0.9.0 contain ReDoS (regular expression denial of service, where specially crafted text causes regex patterns to consume excessive CPU time) vulnerabilities in several components including the LoRA utility parser, phi4mini tool parser, and OpenAI chat endpoint. An attacker can send malicious input with nested or repeated structures to trigger severe CPU consumption and make the service unavailable.
North Korean hackers from the Sapphire Sleet group compromised an npm maintainer account (a person's credentials for publishing packages to npm, a JavaScript library repository) and used it to publish malicious updates to over 140 packages, injecting a fake dependency called "easy-day-js" that stole credentials, API keys, and cryptocurrency wallet information from developers' computers. The malware used a post-install hook (code that runs automatically when a package is installed) to download and execute additional harmful software, with different persistence techniques for Windows, Linux, and macOS systems.
Lloyds Banking Group is hiring 300 tech experts to work on agentic AI (autonomous artificial intelligence models that can plan and execute tasks with minimal human oversight) by September. While this hiring increases the bank's workforce now, the article notes that broader adoption of AI in the future could potentially lead to job cuts.
A vulnerability in pydantic-settings' `NestedSecretsSettingsSource` (a feature that reads secret values from files in a directory) allows attackers to read files outside the configured secrets directory by creating symbolic links (shortcuts that point to other locations on the system). The same flaw also bypasses `secrets_dir_max_size`, a size limit meant to prevent loading excessively large files. This can happen when `secrets_nested_subdir=True` is enabled and an attacker can add symbolic links to the secrets directory.
The LangSmith SDK's `TracingMiddleware` (a component that tracks and logs AI application activity) has a vulnerability that allows attackers to read arbitrary files from a server's local storage and upload them to LangSmith. The attack exploits two bugs: missing validation of data from tracing headers (CWE-346, a type of injection attack) and a type-checking failure that should have blocked file access (CWE-843). Once files are uploaded, anyone with read access to the LangSmith workspace can view the stolen contents.
The `web_url_read` tool in mcp-searxng has a security flaw called SSRF (server-side request forgery, where an attacker tricks a server into making requests to internal systems). The vulnerability exists because the code checks if a hostname looks private by comparing text strings, but it doesn't actually resolve the hostname using DNS (the system that translates domain names to IP addresses). An attacker can use a domain that resolves to an internal IP address to bypass this check and access sensitive data from internal services.
The SearXNG MCP Server's `web_url_read` tool has a vulnerability where it enforces a 5 MiB (megabyte) response size limit only by checking the `Content-Length` header in an initial HEAD request. When a server doesn't include this header, the size check fails and the tool loads the entire response into memory without any limit, allowing an attacker to force the server to consume unlimited memory and CPU, causing a denial of service (DoS, a situation where a system becomes unavailable).
The `EnvironmentManager.restore()` function in Network-AI 5.12.1 is vulnerable to path traversal (a technique where an attacker uses sequences like `../` to access files outside the intended directory). An attacker can pass a malicious backup ID to copy arbitrary files from anywhere on the system into the environment's data folder, potentially exposing sensitive information or breaking environment isolation.
Network-AI versions up to 5.12.1 have a vulnerability in the `EnvironmentManager.backup()` function where it follows symlinks (shortcuts to other directories) when collecting files to back up. An attacker who can create a symlink in the environment data directory can trick the backup process into copying files from outside the intended environment root directory, potentially exposing sensitive information in backup artifacts.
Network-AI's AgentRuntime sandbox uses a flawed string-prefix check to keep file access within a configured base directory, but the check is too broad. A sandbox at `/tmp/network-ai-sandbox` also matches the sibling directory `/tmp/network-ai-sandbox_evil`, allowing agents to read or list files outside the intended sandbox boundary. This vulnerability affects Network-AI version 5.12.1 and has a medium severity CVSS score (a 0-10 rating of how severe a vulnerability is).
Network-AI versions up to 5.12.1 have a vulnerability where the backup pruning feature trusts the `path` field from backup manifest files stored on disk without validating it. An attacker who can write to the backup manifest file can trick the `pruneBackups()` function into recursively deleting arbitrary files or directories on the system that the Network-AI process has access to, potentially causing data loss.
Langflow's file-reading components (like Read File and Docling) have a vulnerability where attackers can use symlinks (shortcuts that point to other files) hidden inside compressed files to read any file on the system, potentially stealing secret keys and executing arbitrary code. An attacker could steal the JWT token secret (used for authentication), forge login tokens for any user, and then run malicious code through the Python Interpreter node.
An attacker can crash Langflow (an AI application framework) by sending a specially crafted file upload request with an extremely long multipart form boundary (a delimiter used in form data) without needing to log in, making the server unusable for all users indefinitely. The vulnerability exists because the server tries to process the malformed data before checking if the user is authenticated.
Langflow's logout button fails to properly clear user sessions, leaving authentication tokens (access_token_lf and refresh_token_lf) in the browser's storage, so the previous user remains logged in until someone else logs in explicitly. This happens because the logout endpoint doesn't delete cookies with the same security settings they were created with, and the frontend doesn't clear stored tokens either. On shared computers, users may incorrectly think they've logged out when they haven't.
A reporter at The Atlantic discovered four publicly available datasets containing millions of songs (totaling between 100,000 and 12 million tracks each) that are being used to train AI models. These datasets have been downloaded thousands of times, and companies like Google and Stability have confirmed using them in their research, raising questions about how music is used in AI training without always crediting or compensating artists.
A speculative thought experiment called 'Europe 2031' imagines a future where Europe falls behind economically because the US and China invested heavily in AI datacenters (facilities housing the computer chips that power AI systems) and automation while Europe did not, leading to economic collapse and political instability. The scenario, which went viral among policymakers and EU officials, was created by Brussels-based thinktankers to warn Europe about the risks of falling behind in AI development and to highlight a communication gap between European policymakers and the US tech industry where most AI is being built.
SALT is a watermarking technique for diffusion models (AI systems that generate images by gradually removing noise from random data) that uses semantic guidance and adaptive latent space truncation to embed hidden ownership marks. The method aims to protect diffusion models from unauthorized use while maintaining the quality of generated images. This research addresses the need for better ownership verification and copyright protection in generative AI systems.
The U.S. White House ordered Anthropic to restrict exports of its AI models Fable and Mythos, citing national security concerns after a South Korean telecom (suspected of China ties) gained access and Amazon researchers found a workaround to Fable's safeguards. The action is the first major test of whether export controls can contain advanced AI the way the government has attempted, with mixed success, to control encryption and spyware technologies.
Fix: Upgrade the Python SDK to version >= 0.8.18. As a temporary workaround until upgrading, do not expose `TracingMiddleware` to untrusted HTTP traffic and limit workspace trace-read access to trusted members only.
GitHub Advisory DatabaseFix: The source recommends modifying `src/url-reader.ts` to perform DNS resolution inside the `assertUrlAllowed()` function before fetching. Specifically: import `lookup` from `node:dns/promises`, make `assertUrlAllowed()` async, and add code to resolve the hostname and check if any of the resolved IP addresses are private before allowing the request. All calls to `assertUrlAllowed()` must be updated to `await` the now-async function.
GitHub Advisory DatabaseFix: Replace both `response.text()` calls with a streaming reader that aborts once the byte counter exceeds `maxContentLengthBytes`. The source text states: 'Replace both `response.text()` calls with a streaming reader that aborts once the byte counter exceeds `maxContentLengthBytes`' but does not provide the specific code implementation.
GitHub Advisory DatabaseFix: Fixed in v5.12.2. Install with: `npm install network-ai@5.12.2`. The patched version now validates backup IDs against `/^[\w\-]+$/` (allowing only letters, numbers, underscores, and hyphens) and confirms that the resolved backup path stays within the `.backups/` directory before accessing the filesystem.
GitHub Advisory DatabaseFix: Fixed in v5.12.2. Install with `npm install network-ai@5.12.2`. The patch changes `_collectBackupFiles()` to use `lstatSync` instead of `statSync` and skips any entries where `isSymbolicLink()` is true, preventing the backup function from following symlinks outside the environment root.
GitHub Advisory DatabaseThe `ApprovalInbox` HTTP server in network-ai (version 5.11.0 and earlier) has no authentication and allows cross-origin requests (CORS, a mechanism that controls which websites can access a server). This means anyone who can reach the server—whether through the same computer, a website you visit in your browser, or a network connection—can view pending approvals and approve them without permission, bypassing the human-in-the-loop control (a safety check requiring a person to review high-risk actions before they run). This defeats protections meant to prevent the AI from executing dangerous operations like shell commands without consent.
Fix: Fixed in v5.12.2 (commit a59c13a). Users should upgrade to this version or later.
GitHub Advisory DatabaseFix: Fixed in v5.12.2. Install by running `npm install network-ai@5.12.2`. The patched version no longer uses the untrusted `entry.path` from the manifest file for deletion. Instead, it recomputes the deletion path from a validated `entry.backupId` and adds a containment check to ensure deletion only occurs within the backups directory.
GitHub Advisory DatabaseFix: Upgrade to Langflow version 1.9.2 or later. The fix modifies the `BaseFileComponent._unpack_bundle` function to reject symlinks, hardlinks, and other non-regular file entries during TAR extraction, and adds additional symlink filtering during directory recursion and after extraction.
GitHub Advisory DatabaseFix: Upgrade to version 1.0.19 or later. The fix adds a `check_boundary` HTTP middleware that validates the multipart boundary using the pattern `^[\w\-]{1,70}$` and rejects malformed requests with HTTP 422 before the body is parsed. The upload endpoint also now requires authentication checks (`get_current_active_user`) and returns HTTP 403 if the user doesn't own the flow.
GitHub Advisory DatabaseFix: Upgrade to Langflow version 1.7.0 or later. The fix (PRs #10527 and #10528) ensures the logout endpoint deletes authentication cookies using the same parameters (httponly, samesite, secure, domain) they were created with, and the frontend now clears auth cookies on logout.
GitHub Advisory Database