AI & LLM Vulnerabilities

PraisonAI has a security vulnerability where unauthenticated users can read any file on the system through multiple handlers like `workflow.show`, `workflow.validate`, and `deploy.validate`. The problem exists because these file-handling tools don't validate or restrict file paths before reading them, and the dispatcher that calls these tools doesn't enforce security checks on incoming requests.

PraisonAI versions up to 4.6.37 contain a critical vulnerability where two functions in `agents_generator.py` use `spec.loader.exec_module` (a method that loads and runs Python code from a file) without any security checks or validation. An attacker can exploit this by providing a malicious Python file path through YAML configuration, either by modifying shared config files, submitting a crafted recipe via GitHub, or using prompt injection (tricking the AI into loading code from a malicious path), resulting in arbitrary code execution (the ability to run any commands on the system).

vLLM version 0.14.1 has a security flaw where a setting called `trust_remote_code` is permanently turned on in two model files, even when users try to turn it off. This allows RCE (remote code execution, where attackers can run harmful code on your computer) through malicious models downloaded from HuggingFace, a popular model repository. This is a partial fix attempt for two earlier vulnerabilities that didn't fully solve the problem.

LMDeploy, a model serving tool, hardcodes `trust_remote_code=True` (a setting that allows executing custom Python code from downloaded models) when loading models from HuggingFace. An attacker who can control which model path the system loads could point it to a malicious model repository, causing arbitrary code execution (running any commands they want) with the privileges of the LMDeploy server process. This affects LMDeploy version 0.12.3 and earlier.

The `diffusers` package has a TOCTOU (time-of-check-time-of-use, where a security check happens at one moment but the actual data used comes from a different moment) vulnerability in its `DiffusionPipeline.from_pretrained` function that loads models from HuggingFace Hub. An attacker can bypass the `trust_remote_code` security check by updating a repository between two separate download calls, allowing arbitrary code to execute without the user explicitly approving it.

SQLBot is a Text-to-SQL system (software that converts natural language questions into database queries) that uses large language models and RAG (retrieval-augmented generation, where the AI pulls in external documents to answer questions). Before version 1.8.0, it had an IDOR vulnerability (insecure direct object reference, where an attacker can access resources belonging to other users by manipulating request parameters), allowing attackers to access and modify database schemas and data from other workspaces or organizations.

The snorkel library up to version 0.10.0 has a vulnerability in its Trainer.load() method that unsafely deserializes (converts saved data back into objects) model files using torch.load() without security protections. An attacker can craft a malicious model file that executes arbitrary code (RCE, remote code execution) when a user loads it with this method.

FastGPT, an AI platform for building AI agents, has a vulnerability in versions 4.14.11 and earlier where its isInternalAddress() function fails to block access to cloud metadata endpoints (services that store sensitive system information). Attackers can bypass the blocklist using URL encoding techniques (methods to disguise URLs), and because a security check is disabled by default, the metadata endpoint remains accessible without additional protection.

Open WebUI version 0.1.105 has an authorization flaw where users with a 'pending' status (the default for new sign-ups) can still receive authentication tokens (JWT, a standardized way to prove identity in web requests) and make API calls meant only for approved users, bypassing the authorization check (the system that verifies what actions a user is allowed to perform) that is only enforced on the website interface, not in the backend API itself.

Diffusers, a popular AI library, had a security flaw where the `trust_remote_code` parameter (a safety check to prevent running untrusted code) could be bypassed in three ways when loading models with `DiffusionPipeline.from_pretrained()`. An attacker could execute arbitrary code on a user's machine even when the user explicitly set `trust_remote_code=False` or left it at its default safe setting. The vulnerability affected users loading custom pipelines (external code) or local model snapshots (saved model files).

The Diffusers library has a vulnerability where arbitrary code can be silently executed when loading a pipeline from HuggingFace Hub, bypassing the `trust_remote_code` security check. An attacker can craft a repository with custom code in a Python file that gets automatically executed during `DiffusionPipeline.from_pretrained()` without requiring the `trust_remote_code=True` parameter or any visible warning, allowing remote code execution (RCE, where an attacker runs commands on a system they don't own).

Keras has a critical vulnerability in its model loader (KerasFileEditor) that allows attackers to cause a Denial of Service (DoS, where a system becomes unusable) by uploading malicious .keras files. An attacker can craft a small .keras file (100-400 KB) that declares an extremely large dataset shape in its HDF5 weight file (a binary format for storing weights in neural networks), but stores only a few bytes of actual data. When Keras loads this file, it attempts to allocate petabytes of RAM based on the declared shape, immediately crashing the system and killing any applications processing the model.