CVE-2025-62608 — CRITICAL (CVSS 9.1) AI Security Vulnerability

CISO Take

MLX, Apple's ML framework for Apple Silicon, has a critical heap buffer overflow triggered by malicious NumPy .npy files — no authentication or user interaction required. Any team using MLX to load externally-sourced datasets or model weights on Apple hardware is exposed to heap memory disclosure and potential RCE. Patch to 0.29.4 immediately and audit pipelines that ingest .npy files from untrusted sources.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlx	pip	<= 0.29.3	`0.29.4`
mlx	pip	—	No patch

Severity & Risk

CVSS 3.1

9.1 / 10

EPSS

0.1%

chance of exploitation in 30 days

KEV Status

Not in KEV

Sophistication

Moderate

Recommended Action

1. PATCH: Upgrade mlx to >= 0.29.4 via pip immediately — this is a one-line fix with no breaking changes. 2. INVENTORY: Identify all systems running MLX (pip list | grep mlx on Apple Silicon endpoints and CI runners). 3. INPUT VALIDATION: Implement file origin controls — reject .npy files not sourced from trusted, internal artifact registries; add hash verification for dataset files. 4. ISOLATION: Run MLX data loading in sandboxed processes where possible; restrict access to sensitive memory (credentials, keys) in processes that handle external .npy files. 5. DETECTION: Monitor for abnormal crashes in mlx processes, unexpected heap access violations in ML workloads, and unusual .npy file sources in pipeline logs. 6. CI/CD: Add MLX version pinning checks to CI pipelines to prevent regression to vulnerable versions.

Classification

Supply Chain Code Execution Data Extraction Framework Training Data AML.T0002.000 - Datasets AML.T0010.001 - AI Software AML.T0010.002 - Data AML.T0011.000 - Unsafe AI Artifacts AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity for high-risk AI systems Art. 9 - Risk management system Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.2 - Information security in AI system development A.6.2 - AI system life cycle — supplier relationships A.8.4 - AI supply chain management

NIST AI RMF

GV-6.1 - Policies for AI risk identification and management of third-party dependencies MANAGE 2.2 - Mechanisms to respond to and recover from AI risks MS-2.5 - Practices and personnel for AI risk management

OWASP LLM Top 10

LLM03 - Training Data Poisoning LLM05:2025 - Supply Chain Vulnerabilities LLM06:2025 - Sensitive Information Disclosure

Technical Details

NVD Description

MLX is an array framework for machine learning on Apple silicon. Prior to version 0.29.4, there is a heap buffer overflow in mlx::core::load() when parsing malicious NumPy .npy files. Attacker-controlled file causes 13-byte out-of-bounds read, leading to crash or information disclosure. This issue has been patched in version 0.29.4.

Exploitation Scenario

Adversary targets an ML engineering team's data ingestion pipeline. They publish a poisoned NumPy dataset to a public repository (Hugging Face, Kaggle, or GitHub) or compromise an internal data storage bucket. A data scientist or automated training pipeline calls mlx.load() on the malicious .npy file on their Apple Silicon MacBook or M-series Mac mini training node. The crafted file triggers the heap buffer overflow in mlx::core::load(), causing a 13-byte out-of-bounds read that leaks adjacent heap memory — potentially exposing API keys, model weights, or other secrets loaded earlier in the process. In a CI/CD context with automated training jobs, this could be fully unattended exploitation.

Weaknesses (CWE)

CWE-122 Heap-based Buffer Overflow Primary CWE-122

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References

Timeline

Published

November 21, 2025

Last Modified

December 2, 2025

First Seen

November 21, 2025