Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
A vulnerability exists in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 that allows prompt injection (tricking an AI by hiding instructions in its input), which can lead to SQL injection (inserting malicious database commands). This vulnerability could allow attackers to manipulate data, steal sensitive information, delete data to cause service outages, or breach security in systems serving multiple users.
CVE-2024-48142 is a prompt injection vulnerability (a technique where attackers hide malicious instructions in text sent to an AI) in Monica ChatGPT AI Assistant v2.4.0 that lets attackers steal all chat messages between a user and the AI through a specially crafted message.
A prompt injection vulnerability (tricking an AI by hiding instructions in its input) was found in Monica Your AI Copilot v6.3.0, a ChatGPT-powered browser extension. Attackers can exploit this flaw by sending a specially crafted message to access and steal all chat data between the user and the AI assistant, both from past conversations and future ones.
CVE-2024-48145 is a prompt injection vulnerability (a type of attack where malicious instructions are hidden in text input to an AI system) in Netangular Technologies ChatNet AI Version v1.0 that allows attackers to steal all chat data between users and the AI by sending a specially crafted message. The vulnerability is classified under CWE-77 (improper neutralization of special elements used in commands), meaning the system fails to properly filter dangerous input before processing it.
CVE-2024-48144 is a prompt injection vulnerability (tricking an AI by hiding instructions in its input) in Fusion Chat Chat AI Assistant Ask Me Anything v1.2.4.0 that allows attackers to craft a malicious message in the chatbox to steal all previous and future conversations between the user and the AI assistant. The vulnerability is caused by improper handling of special elements in user input (CWE-77, a weakness in command injection prevention).
CVE-2024-48141 is a prompt injection vulnerability (a technique where an attacker hides malicious instructions in text sent to an AI) in Zhipu AI CodeGeeX version 2.17.0's chatbox. An attacker can craft a message to trick the AI into leaking all previous and future chat conversations between the user and the assistant.
CVE-2024-48139 is a prompt injection vulnerability (a technique where attackers hide malicious instructions in messages sent to an AI) in Blackbox AI version 1.3.95 that allows attackers to steal all chat messages between a user and the AI by sending a specially crafted message. This vulnerability is classified as a command injection flaw (where attackers manipulate input to execute unintended commands).
Cursor is a code editor that uses AI to help with programming. Before September 27, 2024, attackers could trick Cursor's command generation feature into running harmful commands if a user imported a malicious website into the prompt and the attacker used prompt injection (hidden instructions in text that manipulate AI behavior) on that website. A server-side patch was released quickly to block dangerous characters, and Cursor version 0.42 added client-side protections and a new preview box setting that requires manual approval before commands run.
CVE-2024-49361 is a vulnerability in ACON, a machine learning library that performs adaptive correlation optimization. The vulnerability exists in how ACON validates input data, which could allow an attacker to bypass these checks and execute arbitrary code (run commands they shouldn't be able to run) on systems using ACON. Machine learning applications that accept user-provided data are at the highest risk, especially those running on production servers (live systems serving real users).
Gradio, an open-source Python package for building user interfaces, has a cross-site scripting vulnerability (XSS, where malicious code hidden in files runs in users' browsers) that affects servers allowing file uploads. Attackers can upload harmful HTML, JavaScript, or SVG files that execute when other users view or download them, potentially stealing data or compromising accounts.
Gradio, an open-source Python package for building demos, has a vulnerability where the connection between the FRP client and server (fast reverse proxy, a tool that exposes local applications to the internet) isn't encrypted when the `share=True` option is used. This means attackers can intercept and read files uploaded to the server or modify data being sent, putting sensitive information at risk for users sharing Gradio demos publicly online.
Gradio, an open-source Python package for building AI demos, has a race condition (a bug where two operations interfere with each other due to timing) in its configuration function that lets attackers change the backend URL. This could redirect users to a fake server to steal login credentials or uploaded files, especially affecting Gradio servers accessible over the internet.
Gradio, an open-source Python package for building prototypes, has a timing attack vulnerability (a security flaw where an attacker measures how long the system takes to respond to guess different values) in its analytics dashboard hash comparison. An attacker could exploit this by sending many requests and timing the responses to gradually figure out the correct hash and gain unauthorized access to the dashboard.
CVE-2024-47868 is a data validation vulnerability (a flaw in how input data is checked) in Gradio, an open-source Python package for building AI demos. Attackers can exploit certain Gradio components by sending specially crafted requests that bypass input checks, allowing them to read and download sensitive files from a server that shouldn't be accessible. This risk is especially high for components that handle file data, like DownloadButton, Audio, ImageEditor, Chatbot, and others.
Gradio, an open-source Python package for prototyping, has a vulnerability where it downloads an FRP client (a tool for secure data tunneling) without checking if the file has been tampered with. An attacker who controls the download server could replace the legitimate FRP client with malicious code, and Gradio wouldn't detect this because it doesn't verify the file's checksum (a unique fingerprint) or signature (a digital seal of authenticity).
Gradio, an open-source Python package for building AI interfaces quickly, has a vulnerability where the enable_monitoring flag doesn't actually disable monitoring as intended. Even when a developer sets enable_monitoring=False to turn off monitoring, an attacker can still access sensitive analytics by directly requesting the /monitoring endpoint (a specific web address). This puts applications at risk of exposing data that was supposed to be hidden.
Gradio, an open-source Python package for building AI demos, has a vulnerability called SSRF (server-side request forgery, where an attacker tricks a server into making requests to URLs the attacker chooses) in its `/queue/join` endpoint. Attackers can exploit this to force the Gradio server to request internal or local network addresses, potentially stealing data or uploading malicious files, especially affecting applications using the Video component. Users should upgrade to Gradio version 5 or later to fix this issue.
Gradio, an open-source Python package for building quick demos, has a vulnerability called path traversal (a method where attackers manipulate file paths to access files outside their intended directory) in its `/custom_component` endpoint. Attackers can exploit this to read and leak source code from custom Gradio components, potentially exposing sensitive code that developers wanted to keep private, particularly affecting those hosting custom components on public servers.
Gradio, an open-source Python package for building AI demos, has a vulnerability where it incorrectly accepts requests from sources with a null origin (a security boundary used by web browsers). This happens because the `localhost_aliases` variable includes "null" as a valid CORS origin (cross-origin resource sharing, which controls what websites can access a server). Attackers could exploit this to steal sensitive data like login tokens or uploaded files from local Gradio deployments.
Gradio, an open-source Python package for building AI demos, has a vulnerability in its directory traversal check function that can be bypassed using special file path sequences (like `..` which means "go up one folder"). This could allow attackers to access files they shouldn't be able to reach, especially when uploading files, though exploiting it is difficult.
Fix: A server-side patch released on September 27, 2024 prevents newlines or control characters from being streamed back. Cursor 0.42 includes client-side mitigations that block newlines or control characters from entering the terminal directly. Users can enable the setting `"cursor.terminal.usePreviewBox"` and set it to `true` to stream responses into a preview box that must be manually accepted before inserting into the terminal. The patch is applied server-side, so no additional action is needed on older versions. Additionally, Cursor's maintainers recommend only including trusted context in prompts as a best practice.
NVD/CVE DatabaseFix: Upgrade to gradio>=5. As a workaround, restrict uploads to non-executable file types (like images or text) and implement server-side validation to sanitize or reject HTML, JavaScript, and SVG files before they are stored or displayed to users.
NVD/CVE DatabaseFix: Users should upgrade to `gradio>=5` to fix this issue. As an alternative, users can avoid using `share=True` in production environments and instead host their Gradio applications on servers with HTTPS enabled (a secure protocol that encrypts communication) to ensure safe data transmission.
NVD/CVE DatabaseFix: Upgrade to gradio>=5 (version 5 or newer). The source notes there are no known workarounds for this issue.
NVD/CVE DatabaseFix: Upgrade to gradio>4.44. Alternatively, before upgrading, developers can manually patch the analytics_dashboard to use a constant-time comparison function (a method that takes the same amount of time regardless of whether the input is correct) for comparing sensitive values like hashes, or disable access to the analytics dashboard entirely.
NVD/CVE DatabaseFix: This issue has been resolved in gradio>5.0. Upgrading to the latest version will mitigate this vulnerability. There are no known workarounds for this vulnerability.
NVD/CVE DatabaseFix: There is no direct workaround without upgrading. Users can manually validate the integrity of the downloaded FRP client by implementing checksum or signature verification in their own environment to ensure the binary hasn't been tampered with.
NVD/CVE DatabaseFix: Users are advised to upgrade to gradio>=4.44 to address this issue.
NVD/CVE DatabaseFix: Upgrade to `gradio>=5`. As a workaround, disable or heavily restrict URL-based inputs to trusted domains only, implement allowlist-based URL validation (where only pre-approved URLs are accepted), and ensure that local or internal network addresses cannot be requested via the `/queue/join` endpoint.
NVD/CVE DatabaseFix: Users should upgrade to `gradio>=4.44`. As a workaround, developers can sanitize file paths and ensure that components are not stored in publicly accessible directories.
NVD/CVE DatabaseFix: Users are advised to upgrade to gradio>=5.0. As a workaround, users can manually modify the `localhost_aliases` list in their local Gradio deployment to exclude "null" as a valid origin, which will prevent the Gradio server from accepting requests from sandboxed iframes or sources with a null origin.
NVD/CVE DatabaseFix: Upgrade to `gradio>=5.0` to address this issue. As a workaround, manually sanitize and normalize file paths in your Gradio deployment before passing them to the `is_in_or_equal` function, ensuring all file paths are properly resolved as absolute paths (complete paths starting from the root) to mitigate the bypass vulnerabilities.
NVD/CVE Database