aisecwatch.com
DashboardVulnerabilitiesNewsResearchArchiveStatsDatasetFor devs
Subscribe
aisecwatch.com

Real-time AI security monitoring. Tracking AI-related vulnerabilities, safety and security incidents, privacy risks, research developments, and policy changes.

Navigation

VulnerabilitiesNewsResearchDigest ArchiveNewsletter ArchiveSubscribeData SourcesStatisticsDatasetAPIIntegrationsWidgetRSS Feed

Maintained by

Truong (Jack) Luu

Information Systems Researcher

Browse All

All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.

to
Export CSV
6518 items

CVE-2025-38334: In the Linux kernel, the following vulnerability has been resolved: x86/sgx: Prevent attempts to reclaim poisoned pages

mediumvulnerability
security
Jul 10, 2025
CVE-2025-38334

A vulnerability in the Linux kernel's SGX (Software Guard Extensions, a CPU feature that creates isolated execution areas) allows the system to attempt reclaiming memory pages that are already poisoned (marked as corrupted due to hardware errors). When the kernel tries to reclaim these poisoned pages using special CPU instructions like EWB (encrypt and write back), it can trigger machine check errors that crash the system, because SGX instructions cannot safely handle these hardware errors.

Fix: Call sgx_unmark_page_reclaimable() to remove the affected EPC (Enclave Page Cache) page from sgx_active_page_list when a memory error is detected. This prevents the corrupted page from being considered for reclaiming and stops the system from attempting dangerous operations on it.

NVD/CVE Database

Unless users take action, Android will let Gemini access third-party apps

mediumnews
safetypolicy

CVE-2025-53536: Roo Code is an AI-powered autonomous coding agent. Prior to 3.22.6, if the victim had "Write" auto-approved, an attacker

highvulnerability
security
Jul 7, 2025
CVE-2025-53536

Roo Code is an AI tool that can write code automatically. Before version 3.22.6, if a user had auto-approved write permissions, an attacker could send prompts to the agent that would modify VS Code settings files (configuration files that control how the editor works) and run malicious code on the user's computer. For example, an attacker could change a PHP validation setting to point to a harmful command, then create a PHP file to execute it.

CVE-2025-3777: Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image

highvulnerability
security
Jul 7, 2025
CVE-2025-3777

Hugging Face Transformers versions up to 4.49.0 have a vulnerability in the `image_utils.py` file where URL validation (checking if a URL starts with certain text) can be tricked through URL username injection (adding fake credentials to a URL). Attackers can create fake URLs that look like they're from YouTube but actually point to malicious sites, risking phishing attacks, malware, or stolen data.

CVE-2025-3264: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, sp

highvulnerability
security
Jul 7, 2025
CVE-2025-3264

A ReDoS vulnerability (regular expression denial of service, where specially crafted text causes a regex pattern to consume excessive CPU) was found in Hugging Face Transformers library version 4.49.0, specifically in code that filters Python try/except blocks. Attackers could exploit this to crash or slow down systems using the library, potentially disrupting model serving or supply chain processes.

CVE-2025-3263: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, sp

highvulnerability
security
Jul 7, 2025
CVE-2025-3263

A ReDoS vulnerability (regular expression denial of service, where specially crafted input causes a program to use excessive CPU by making the regex engine work inefficiently) was found in the Hugging Face Transformers library version 4.49.0, specifically in a function that reads configuration files. An attacker could send malicious input to make the application slow down or crash by exhausting its computing resources.

CVE-2025-3262: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the huggingface/transformers repository,

highvulnerability
security
Jul 7, 2025
CVE-2025-3262

A ReDoS vulnerability (regular expression denial of service, where inefficient pattern matching causes a system to slow down or crash) was found in the Hugging Face Transformers library version 4.49.0. The problem is in a regex pattern called `SETTING_RE` that uses inefficient repetition, causing it to take exponentially longer when processing specially crafted input strings, which can make the application unresponsive or crash.

CVE-2025-45809: BerriAI litellm v1.65.4 was discovered to contain a SQL injection vulnerability via the /key/block endpoint.

mediumvulnerability
security
Jul 3, 2025
CVE-2025-45809

BerriAI litellm version 1.65.4 contains a SQL injection vulnerability (a type of attack where malicious SQL code is inserted into user inputs to manipulate database queries) in the /key/block endpoint. This weakness allows attackers to potentially access or modify database contents through this vulnerable endpoint.

AI Safety Newsletter #58: Senate Removes State AI Regulation Moratorium

inforegulatory
policy
Jul 3, 2025

The U.S. Senate voted 99-1 to remove a provision from a Republican bill that would have prevented states from regulating AI if they wanted to receive federal broadband expansion funds. The provision was weakened by Senate rules that limited it to only $500 million in new funding rather than $42.45 billion in total broadband funds, making it less likely states would comply even if it had passed.

CVE-2025-34072: A data exfiltration vulnerability exists in Anthropic’s deprecated Slack Model Context Protocol (MCP) Server via automat

highvulnerability
security
Jul 2, 2025
CVE-2025-34072

A vulnerability exists in Anthropic's deprecated Slack MCP Server (Model Context Protocol Server, a tool that lets AI agents interact with Slack) that allows attackers to steal sensitive data. When an AI agent processes untrusted input, an attacker can trick it into creating messages with malicious links that, when Slack's link preview bots automatically expand them, secretly send private data to the attacker's server without requiring any user action.

CVE-2025-53107: @cyanheads/git-mcp-server is an MCP server designed to interact with Git repositories. Prior to version 2.1.5, there is

highvulnerability
security
Jul 1, 2025
CVE-2025-53107

The @cyanheads/git-mcp-server (an MCP server, or a tool that lets AI systems interact with Git repositories) has a command injection vulnerability (a flaw where attackers can sneak extra system commands into input) in versions before 2.1.5. Because the server doesn't check user input before running system commands, attackers can execute arbitrary code on the server, or trick an AI client into running unwanted actions through indirect prompt injection (hiding malicious instructions in data the AI reads).

CVE-2025-6297: It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a

highvulnerability
security
Jul 1, 2025
CVE-2025-6297

dpkg-deb (a tool that extracts and manages Debian package files) fails to properly set permissions on temporary directories when unpacking package contents, potentially leaving temporary files behind. If an attacker repeatedly sends malicious packages or uses highly compressible files placed in directories that can't be deleted by regular users, this could fill up the disk and cause a denial of service (DoS, a situation where a system becomes unusable due to resource exhaustion).

CyberRisk Alliance and OWASP Join Forces to Advance Application Security and AI Education Across the Cyber Ecosystem

inforesearchIndustry
security

CVE-2025-6855: A vulnerability, which was classified as critical, has been found in chatchat-space Langchain-Chatchat up to 0.3.1. This

mediumvulnerability
security
Jun 29, 2025
CVE-2025-6855

CVE-2025-6855 is a critical vulnerability in Langchain-Chatchat (a tool built on LLMs) up to version 0.3.1 that allows path traversal (accessing files outside the intended directory) through manipulation of a parameter called 'flag' in the /v1/file endpoint. The vulnerability has been publicly disclosed and could potentially be exploited.

CVE-2025-6854: A vulnerability classified as problematic was found in chatchat-space Langchain-Chatchat up to 0.3.1. This vulnerability

mediumvulnerability
security
Jun 29, 2025
CVE-2025-6854

CVE-2025-6854 is a path traversal vulnerability (a flaw that lets attackers access files outside intended directories) in Langchain-Chatchat software versions up to 0.3.1, specifically in a file upload endpoint. The vulnerability can be exploited remotely by attackers with login credentials and has already been publicly disclosed.

CVE-2025-6853: A vulnerability classified as critical has been found in chatchat-space Langchain-Chatchat up to 0.3.1. This affects the

mediumvulnerability
security
Jun 29, 2025
CVE-2025-6853

CVE-2025-6853 is a critical vulnerability in Langchain-Chatchat version 0.3.1 and earlier that allows attackers to exploit a path traversal (a type of attack where an attacker manipulates file paths to access files outside their intended directory) flaw in the upload_temp_docs backend function by manipulating the flag argument. The vulnerability can be exploited remotely by users with basic access permissions, and the exploit details have been publicly disclosed.

CVE-2025-53098: Roo Code is an AI-powered autonomous coding agent. The project-specific MCP configuration for the Roo Code agent is stor

highvulnerability
security
Jun 27, 2025
CVE-2025-53098

Roo Code is an AI tool that can automatically write code, and it stores settings in a `.roo/mcp.json` file that can execute commands. Before version 3.20.3, an attacker who could trick the AI (through prompt injection, a technique where hidden instructions are embedded in user input) into writing malicious commands to this file could run arbitrary code if the user had enabled automatic approval of file changes. This required multiple conditions: the attacker could submit prompts to the agent, the MCP (model context protocol, a system for connecting AI agents to external tools) feature was enabled, and auto-approval of writes was turned on.

CVE-2025-53097: Roo Code is an AI-powered autonomous coding agent. Prior to version 3.20.3, there was an issue where the Roo Code agent'

mediumvulnerability
security
Jun 27, 2025
CVE-2025-53097

Roo Code, an AI agent that writes code automatically, had a vulnerability (CVE-2025-53097) in versions before 3.20.3 where its file search tool ignored settings that should have blocked it from reading files outside the VS Code workspace (the folder a user is working in). An attacker could use prompt injection (tricking the AI by hiding instructions in its input) to make the agent read sensitive files and send that information over the network without user permission, though this attack required the attacker to already control what prompts the agent receives.

CVE-2025-53002: LLaMA-Factory is a tuning library for large language models. A remote code execution vulnerability was discovered in LLa

highvulnerability
security
Jun 26, 2025
CVE-2025-53002

LLaMA-Factory, a library for training large language models, has a remote code execution vulnerability (RCE, where attackers can run malicious code on a victim's computer) in versions up to 0.9.3. Attackers can exploit this by uploading a malicious checkpoint file through the web interface, and the victim won't know they've been compromised because the vulnerable code loads files without proper safety checks.

CVE-2025-52573: iOS Simulator MCP Server (ios-simulator-mcp) is a Model Context Protocol (MCP) server for interacting with iOS simulator

mediumvulnerability
security
Jun 26, 2025
CVE-2025-52573

iOS Simulator MCP Server (ios-simulator-mcp) versions before 1.3.3 have a command injection vulnerability (a security flaw where attackers insert shell commands into input that gets executed). The vulnerability exists because the `ui_tap` tool uses Node.js's `exec` function unsafely, allowing an attacker to trick an LLM through prompt injection (feeding hidden instructions to an AI to make it behave differently) to pass shell metacharacters like `;` or `&&` in parameters, which can execute unintended commands on the server's computer.

Previous256 / 326Next
Jul 7, 2025

Google is automatically enabling its Gemini AI to access third-party apps like WhatsApp on Android devices, overriding previous user settings that blocked such access. Users who want to prevent this must take action, though Google's guidance on how to fully disable Gemini integrations is unclear and confusing, with the company stating that even when Gemini access is blocked, data is still stored for 72 hours.

Fix: According to a Tuta researcher cited in the article, disabling Gemini app activity is likely to prevent data collection beyond the 72-hour temporary storage period. Additionally, if the Gemini app is not already installed on a device, it will not be installed after the change takes effect.

Ars Technica (Security)

Fix: Update Roo Code to version 3.22.6 or later, where this vulnerability is fixed.

NVD/CVE Database

Fix: The issue is fixed in version 4.52.1. Update Hugging Face Transformers to version 4.52.1 or later.

NVD/CVE Database

Fix: Update to version 4.51.0, where the vulnerability is fixed.

NVD/CVE Database

Fix: Update to version 4.51.0, where the issue is resolved.

NVD/CVE Database

Fix: Update to version 4.51.0 or later, where the issue is fixed.

NVD/CVE Database
NVD/CVE Database
CAIS AI Safety Newsletter
NVD/CVE Database

Fix: Update to version 2.1.5, where this issue has been patched.

NVD/CVE Database
NVD/CVE Database
policy
Jun 30, 2025

CyberRisk Alliance and OWASP (Open Worldwide Application Security Project, a non-profit focused on improving software security) announced a partnership to advance education in application security (protecting software from attacks) and AI security. The collaboration will involve creating shared content, hosting events, and conducting research initiatives together.

OWASP GenAI Security
NVD/CVE Database
NVD/CVE Database
NVD/CVE Database

Fix: Version 3.20.3 fixes the issue by adding an additional layer of opt-in configuration for auto-approving writing to Roo's configuration files, including all files within the `.roo/` folder.

NVD/CVE Database

Fix: Upgrade to version 3.20.3 or later. According to the source, "Version 3.20.3 fixed the issue where `search_files` did not respect the setting to limit it to the workspace."

NVD/CVE Database

Fix: Update to version 0.9.4, which contains a fix for the issue.

NVD/CVE Database

Fix: Update to version 1.3.3, which contains a patch for the issue.

NVD/CVE Database