Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
The Terraform WinDNS Provider (a tool for managing Windows DNS servers through Terraform, an infrastructure automation tool) had a security flaw before version 1.0.5 where the `windns_record` resource didn't properly validate user input, allowing authenticated command injection (an attack where malicious commands are sneaked into legitimate input to execute unauthorized code in the underlying PowerShell command prompt). This vulnerability only affects users who already have authentication access to the system.
Fix: Update to version 1.0.5, which contains a fix for the issue.
NVD/CVE DatabaseA vulnerability (CVE-2025-4287) was found in PyTorch 2.6.0+cu124 in a function that handles GPU communication, which can be exploited to cause a denial of service (making a system or service stop working) by someone with local access to the computer. The vulnerability has been publicly disclosed and rated as medium severity.
Retrieval-based-Voice-Conversion-WebUI (a framework for changing voices using AI) in version 2.2.231006 and earlier has a critical vulnerability where user input is passed unsafely to a function that loads model files using torch.load (a Python tool that can execute code from files). An attacker could exploit this by providing a malicious model file path, leading to RCE (remote code execution, where an attacker can run commands on the system).
Retrieval-based-Voice-Conversion-WebUI, a voice changing framework, has a vulnerability in versions 2.2.231006 and earlier where user input (like a file path) is passed directly to torch.load (a function that reads model files). This unsafe deserialization (loading untrusted data that could contain malicious code) allows attackers to execute arbitrary commands on the system running the software.
Retrieval-based-Voice-Conversion-WebUI is a voice changing tool that has a security flaw in versions 2.2.231006 and earlier. The vulnerability allows unsafe deserialization (loading untrusted data that could contain malicious code) when the program takes user input for a model file path and loads it using torch.load, which could let attackers run arbitrary code on the system.
Retrieval-based-Voice-Conversion-WebUI, a voice changing tool, has a vulnerability in versions 2.2.231006 and earlier where unsafe deserialization (loading data in a way that can execute malicious code) allows attackers to run code remotely. The problem occurs because the software takes user input for model file paths and loads them using torch.load without proper safety checks, enabling RCE (remote code execution, where attackers can run commands on the affected system).
Retrieval-based-Voice-Conversion-WebUI, a voice-changing tool, has a vulnerability in versions 2.2.231006 and earlier where user input for model file paths is passed unsafely to torch.load (a function that loads saved AI models). This unsafe deserialization (loading data from untrusted sources without checking it first) can allow attackers to run arbitrary code on the system.
Retrieval-based-Voice-Conversion-WebUI, a voice-changing framework, has a critical vulnerability in versions 2.2.231006 and earlier where unsafe deserialization (loading data from untrusted sources without checking it first) can occur. An attacker can exploit this by providing a malicious file path that gets loaded using torch.load, which can lead to RCE (remote code execution, where an attacker runs commands on a system they don't own).
Retrieval-based-Voice-Conversion-WebUI, a voice changing tool based on VITS (a voice synthesis model), has a vulnerability in versions 2.2.231006 and earlier where user-supplied file paths are loaded directly using torch.load (a function that can execute code when loading files), allowing attackers to run arbitrary code on the system. This happens because the ckpt_path1 variable accepts untrusted input and passes it unsafely to a model-loading function.
CVE-2025-46567 is a critical vulnerability in LLaMA-Factory (a tool for fine-tuning large language models) that exists before version 1.0.0. The vulnerability is in the `llamafy_baichuan2.py` script, which unsafely loads user-supplied files using `torch.load()` (a function that deserializes, or reconstructs, Python objects from saved data), allowing attackers to execute arbitrary commands by crafting a malicious file.
vLLM (a system for running large language models efficiently) versions 0.8.0 through 0.8.4 have a critical performance bug in how it processes multimodal input (text, images, audio). The bug uses an inefficient algorithm (quadratic time complexity, meaning it slows down exponentially as input size grows) when replacing placeholder tokens (special markers like <|audio_|> that get expanded into repeated tokens), which allows attackers to crash or freeze the system by sending specially crafted malicious inputs.
vLLM (a system for running AI models efficiently) versions 0.6.5 through 0.8.4 have a critical vulnerability when using mooncake integration. Attackers can execute arbitrary code remotely because the system uses pickle (an unsafe method for converting data into a format that can be transmitted) over unencrypted ZeroMQ sockets (communication channels) that listen to all network connections, making them easily accessible from the internet.
vLLM versions 0.5.2 through 0.8.4 have a security vulnerability in multi-node deployments where a ZeroMQ socket (a tool for sending messages between different computers) is left open to all network interfaces. An attacker with network access can connect to this socket to see internal vLLM data or deliberately slow down the system by connecting repeatedly without reading the data, causing a denial of service (making the system unavailable or very slow).
A ReDoS vulnerability (regular expression denial of service, where specially crafted text causes a regex to consume excessive CPU by repeatedly backtracking) was found in the huggingface/transformers library version 4.48.1, specifically in the GPT-NeoX-Japanese model's tokenizer. An attacker could exploit this by sending malicious input that causes the application to hang or crash due to high CPU usage.
PyTorch (a Python package for machine learning computations) versions 2.5.1 and earlier contain a remote code execution (RCE, where an attacker can run commands on a system they don't own) vulnerability when loading models with the torch.load function set to weights_only=True. The vulnerability stems from insecure deserialization (converting data back into executable code without checking if it's safe), which allows attackers to execute arbitrary commands remotely.
Rasa Pro is a framework for building conversational AI assistants that use large language models. A vulnerability was found where voice connectors (tools that receive audio input) did not properly check user authentication even when security tokens were configured, allowing attackers to send voice data to the system without permission.
PyTorch 2.6.0 contains a vulnerability in the torch.nn.functional.ctc_loss function (a component used for speech recognition tasks) that can cause denial of service (making the system unavailable). The vulnerability requires local access to exploit and has been publicly disclosed, though its actual existence is still uncertain.
A critical vulnerability (CVE-2025-3677) was found in lm-sys FastChat version 0.2.36 and earlier in the file apply_delta.py. The flaw involves deserialization (converting data back into code or objects, which can be dangerous if the data comes from an untrusted source) and can only be exploited by someone with local access to the affected system.
Mattermost (a team communication platform) versions 10.4.2 and earlier, 10.5.0 and earlier, and 9.11.9 and earlier don't properly block which websites their built-in AI tool can contact. This allows logged-in users to use prompt injection (tricking the AI by hiding instructions in their input) to steal data from servers that the Mattermost system can access.
In Aidex versions before 1.7, a logged-in attacker could exploit an open registry to run unauthorized commands on the system through prompt injection attacks (tricking the AI by hiding malicious instructions in user input) via the chat message endpoint. This allowed them to execute operating system commands, access databases, and invoke framework functions.
Fix: Apply the patch identified as commit 5827d2061dcb4acd05ac5f8e65d8693a481ba0f5, which is recommended to fix this issue.
NVD/CVE DatabaseFix: This issue has been patched in version 1.0.0. Users should upgrade to version 1.0.0 or later. A patch is available at: https://github.com/hiyouga/LLaMA-Factory/commit/2989d39239d2f46e584c1e1180ba46b9768afb2a
NVD/CVE DatabaseFix: This issue has been patched in version 0.8.5.
NVD/CVE DatabaseFix: Update to vLLM version 0.8.5 or later, which has patched this vulnerability.
NVD/CVE DatabaseFix: This issue has been patched in version 0.8.5. Update vLLM to version 0.8.5 or later.
NVD/CVE DatabaseFix: This issue has been patched in version 2.6.0. Users should upgrade PyTorch to version 2.6.0 or later.
NVD/CVE DatabaseFix: This issue has been patched in versions 3.9.20, 3.10.19, 3.11.7 and 3.12.6 for the audiocodes, audiocodes_stream, and genesys connectors. Update Rasa Pro to one of these versions or later.
NVD/CVE DatabaseFix: Apply patch 46fc5d8e360127361211cb237d5f9eef0223e567. The project's security policy also recommends avoiding unknown models, which could have malicious effects.
NVD/CVE DatabaseFix: Update to Aidex version 1.7 or later.
NVD/CVE Database