AI & LLM Vulnerabilities

Twenty, an open-source CRM platform, had a vulnerability before version 2.9.0 where authenticated users could access other workspaces' AI agent data through IDOR (insecure direct object reference, a flaw where the system doesn't verify that requested data belongs to the user). Attackers with access to a workspace could view other users' chat histories, tool calls, and outputs by knowing their agent or turn IDs, which were visible in the settings page URL.

A vulnerability in Firebase Studio (Google's backend service for building apps) allowed authenticated users to access and download source code and list storage buckets belonging to other users' projects. The vulnerability has already been fixed and deployed to the backend service.

Warp is an agentic development environment (a tool that helps developers write code with AI assistance) that contained a command injection vulnerability (a flaw where specially crafted input can trick a system into running unintended commands) in its branch selector feature. An attacker who could publish a malicious Git branch name to a repository could cause that branch name to be executed as a shell command (instructions sent directly to the operating system) when a victim selected it from Warp's user interface.

Docling is a tool that reads different document formats and connects them to AI systems. Versions 2.13.0 through 2.74.0 had a security flaw in how they read USPTO patent XML files (XML, a format for storing structured data): they didn't protect against XXE attacks (XML External Entity attacks, where specially crafted files trick the parser into reading files from the server or making unwanted network requests). An attacker could use this flaw to steal files, perform SSRF attacks (server-side request forgery, making the server request data it shouldn't), or crash the system.

Docling is a tool that processes documents in different formats and connects with AI systems. Before version 2.91.0, it had a security flaw where it downloaded AI models (EasyOCR) and extracted compressed files (ZIP archives) without checking if the file paths were safe, allowing a Zip Slip attack (a technique where specially crafted archive files extract to unintended locations). If an attacker could intercept or compromise the model download, they could write malicious files anywhere on the system, potentially taking complete control of it.

Docling is a tool that processes different document formats and connects them to AI systems. In versions 2.82.0 through 2.90.0, if HTML rendering was turned on, an attacker could create malicious HTML documents that run unauthorized JavaScript code or access internal network services, potentially leading to SSRF attacks (where the server makes unintended requests to internal systems), data theft, or RCE (remote code execution, where attackers run commands on a system they don't own).

Anthropic Claude Desktop has a security flaw in versions v1.1348.0 through v1.2278.0 where it boots a VM (virtual machine, a simulated computer) without checking that the root filesystem image hasn't been tampered with. An attacker with basic access to a user's Mac can modify this image file, and the software will trust and run the modified version on the next boot, giving the attacker persistent control inside the VM and access to files shared with the host computer.

rtk is a tool that filters and compresses command outputs before sending them to an LLM (large language model). Before version 0.42.2, rtk's permission splitter (the part that checks if commands are allowed) failed to properly detect certain shell constructs (special syntax that Bash uses to execute commands), allowing attackers to hide unauthorized commands behind allowed ones like "git". This meant dangerous commands could run without user approval.

Daytona is a platform for running code created by AI systems in a secure way. Before version 0.185.0, it had a flaw where a user who owned any organization could change or delete roles (permission sets) from a completely different organization if they knew the role's ID, because the system didn't properly verify that the role belonged to the organization being modified.

Daytona is a platform for running code created by AI in a secure, isolated environment (sandbox). In versions 0.101.0 through 0.184.0, when sandbox previews were changed from public to private, they could still be accessed without a password for a short time because the system's cached record of who could see the sandbox was not updated.

Daytona is a platform for running code created by AI in a secure way. Before version 0.184.0, there was a security flaw where someone could accept organization invitations without verifying their email address, potentially allowing an attacker to join an organization with high-level permissions by using a fake email account.