Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
NextChat, a user interface for ChatGPT and Gemini, has a Server-Side Request Forgery vulnerability (SSRF, a flaw that lets attackers trick the server into making requests to unintended destinations) in its WebDav API endpoint because the `endpoint` parameter is not validated. An attacker could use this to make unauthorized HTTPS requests from the vulnerable server or inject malicious JavaScript code into users' browsers.
Fix: This vulnerability has been patched in version 2.12.4. Users should update to this version or later.
NVD/CVE DatabaseCVE-2024-5826 is a remote code execution vulnerability in the vanna-ai/vanna library's `vanna.ask` function, caused by prompt injection (tricking an AI by hiding instructions in its input) without code sandboxing. An attacker can manipulate the code executed by the `exec` function to gain full control of the app's backend server.
A CSRF vulnerability (cross-site request forgery, where an attacker tricks a user's browser into making unwanted requests on their behalf) exists in the 'Servers Configurations' function of parisneo/lollms-webui versions 9.6 and later, affecting services like XTTS and vLLM that lack CSRF protection. Attackers can exploit this to deceive users into installing unwanted packages without their knowledge or consent.
Gradio (a popular framework for building AI interfaces) has a vulnerability called an open redirect, which means attackers can trick the application into sending users to fake websites by exploiting improper URL validation. This can be used for phishing attacks (tricking people into revealing passwords), XSS (cross-site scripting, where attackers inject malicious code into web pages), and other exploits.
DeepJavaLibrary (DJL), a framework for building deep learning applications in Java, has a path traversal vulnerability (CWE-22, a flaw where an attacker can access files outside intended directories) in versions 0.1.0 through 0.27.0. This flaw allows attackers to overwrite system files by inserting archived files from absolute paths into the system.
A security vulnerability in LangChain Experimental (a Python library for building AI applications) before version 0.0.61 allows users to access a Python REPL (read-eval-print loop, an interactive environment where code can be run directly) without requiring explicit permission. This issue happened because a previous attempt to fix a related vulnerability (CVE-2024-27444) was incomplete.
CVE-2024-0103 is a vulnerability in NVIDIA Triton Inference Server for Linux where incorrect initialization of resources caused by network issues could allow a user to disclose sensitive information. The vulnerability has a CVSS 4.0 severity rating, which measures the seriousness of security flaws on a scale of 0-10.
CVE-2024-0095 is a vulnerability in NVIDIA Triton Inference Server (software that runs AI models) for Linux and Windows that allows users to inject fake log entries and commands, potentially leading to code execution (running unauthorized programs), denial of service (making the system unavailable), privilege escalation (gaining higher access rights), information disclosure (exposing sensitive data), and data tampering (modifying information). The vulnerability stems from improper neutralization of log output, meaning the system doesn't properly sanitize or clean user input before adding it to logs.
Langflow versions up to 0.6.19 have a vulnerability that allows remote code execution (RCE, where attackers can run commands on a system they don't own) if untrusted users can access a specific API endpoint called POST /api/v1/custom_component and submit Python code through it. The vulnerability stems from code injection (CWE-94, where malicious code is inserted into a program), which happens because the application does not properly control how user-provided Python scripts are executed.
A vulnerability in the ONNX framework (version 1.16.0) allows attackers to overwrite any file on a system by uploading a malicious tar file (a compressed archive format) with specially crafted paths. Because the vulnerable function doesn't check whether file paths are safe before extracting the tar file, attackers could potentially execute malicious code, delete important files, or compromise system security.
BerriAI's litellm has a vulnerability (CVE-2024-4888) where the `/audio/transcriptions` endpoint improperly validates user input, allowing attackers to delete arbitrary files on the server without authorization. The flaw occurs because the code uses `os.remove()` (a function that deletes files) directly on user-supplied file paths, potentially exposing sensitive files like SSH keys or databases.
The gaizhenbiao/chuanhuchatgpt application has a path traversal vulnerability (a flaw that lets attackers access files outside their allowed directory) because it uses an outdated version of gradio (a library for building AI interfaces). This vulnerability allows attackers to bypass security restrictions and read sensitive files like `config.json` that contain API keys (secret credentials for accessing services).
MLflow version 2.11.1 has a vulnerability where attackers can create multiple models with the same name by using URL encoding (a technique that converts special characters into a format safe for web addresses). This allows attackers to cause denial of service (making a service unavailable) or data poisoning (inserting corrupted or malicious data), where an authenticated user might accidentally use a fake model instead of the real one because the system treats URL-encoded and regular names as different.
A Server-Side Request Forgery vulnerability (SSRF, a flaw that lets attackers trick a server into making requests to unintended targets) exists in langchain version 0.1.5's Web Research Retriever component, which fails to block requests to local network addresses. This allows attackers to scan ports, access local services, read cloud metadata, and potentially execute arbitrary code (run commands on a system they don't own) by exploiting internal APIs.
MLflow version 8.2.1 has a command injection vulnerability (a flaw where attackers can execute arbitrary commands by inserting malicious code into a system command) in its HTTP dataset loading function. When loading datasets, the software doesn't properly clean up filenames from URLs, allowing attackers to write files anywhere on the system and potentially run harmful commands.
PyTorch Lightning version 2.2.1 has a critical vulnerability where attackers can execute arbitrary code on self-hosted applications by crafting malicious serialized data (deepdiff.Delta objects, which are used to represent changes to data). The vulnerability exists because the application doesn't properly block access to dunder attributes (special Python attributes starting with underscores), allowing attackers to bypass security restrictions and modify the application's state.
Gradio version 4.25 has a local file inclusion vulnerability (a security flaw where attackers can read files they shouldn't access) in its JSON component. The problem occurs because the `postprocess()` function doesn't properly validate user input before parsing it as JSON, and if the JSON contains a `path` key, the system automatically moves that file to a temporary directory where attackers can retrieve it using the `/file=..` endpoint.
Fix: Upgrade to DJL version 0.28.0 or patch to DJL Large Model Inference containers version 0.27.0.
NVD/CVE DatabaseFix: Update langchain_experimental to version 0.0.61 or later. A patch is available in the commit ce0b0f22a175139df8f41cdcfb4d2af411112009 and the version comparison between 0.0.60 and 0.0.61 shows the fix.
NVD/CVE DatabaseA vulnerability in scikit-learn's TfidfVectorizer (a tool that converts text into numerical data for machine learning) stored all words from training data in an attribute called `stop_words_`, instead of just the necessary ones, potentially leaking sensitive information like passwords or keys. The vulnerability affected versions up to 1.4.1.post1 but the risk depends on what type of data is being processed.
Fix: Fixed in version 1.5.0.
NVD/CVE DatabaseFix: A fixed version of chuanhuchatgpt was released on 20240305 (March 5, 2024). Users should upgrade to this version or later to resolve the vulnerability.
NVD/CVE DatabaseA Local File Inclusion vulnerability (LFI, a flaw that lets attackers read files they shouldn't access) was found in MLflow version 2.9.2. The bug exists because the application doesn't properly check the fragment part of web addresses (the section after the '#' symbol) for directory traversal sequences like '../', which allow attackers to navigate folders and read sensitive files like system password files.
Fix: The vulnerability was fixed in version 2.11.3.
NVD/CVE DatabaseFix: The issue is fixed in version 2.9.0.
NVD/CVE DatabaseA Server-Side Request Forgery vulnerability (SSRF, where a server can be tricked into making requests to unintended locations) exists in Gradio version 4.21.0 in the `/queue/join` endpoint and `save_url_to_cache` function. The vulnerability occurs because user-supplied URL input is not properly validated before being used to make HTTP requests, allowing attackers to access internal networks or sensitive cloud server information.