AI Threat Alert AI Threat Alert

CVE-2025-62608: mlx: security flaw enables exploitation

GHSA-w6vg-jg77-2qg6 CRITICAL PoC AVAILABLE CISA: TRACK*
Published November 21, 2025
CISO Take

MLX, Apple's ML framework for Apple Silicon, has a critical heap buffer overflow triggered by malicious NumPy .npy files — no authentication or user interaction required. Any team using MLX to load externally-sourced datasets or model weights on Apple hardware is exposed to heap memory disclosure and potential RCE. Patch to 0.29.4 immediately and audit pipelines that ingest .npy files from untrusted sources.

Risk Assessment

CVSS 9.1 Critical with network-reachable, zero-privilege, zero-interaction attack vector makes this technically severe. Practical risk is moderated by low EPSS (0.00095) indicating limited current exploitation activity, and the specific hardware constraint (Apple Silicon). However, MLX adoption is growing rapidly among ML engineers and on-device AI developers — orgs with Apple Silicon MacBooks in ML pipelines have meaningful exposure, especially in dev/research environments where data provenance controls are weak.

Affected Systems

Package Ecosystem Vulnerable Range Patched
mlx pip No patch
26.1K 283 dependents Pushed yesterday 50% patched ~11d to patch Full package profile →
mlx pip <= 0.29.3 0.29.4
26.1K 283 dependents Pushed yesterday 50% patched ~11d to patch Full package profile →

Severity & Risk

CVSS 3.1
9.1 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 25% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I None
A High

Recommended Action

6 steps

  1. PATCH

    Upgrade mlx to >= 0.29.4 via pip immediately — this is a one-line fix with no breaking changes.

  2. INVENTORY

    Identify all systems running MLX (pip list | grep mlx on Apple Silicon endpoints and CI runners).

  3. INPUT VALIDATION

    Implement file origin controls — reject .npy files not sourced from trusted, internal artifact registries; add hash verification for dataset files.

  4. ISOLATION

    Run MLX data loading in sandboxed processes where possible; restrict access to sensitive memory (credentials, keys) in processes that handle external .npy files.

  5. DETECTION

    Monitor for abnormal crashes in mlx processes, unexpected heap access violations in ML workloads, and unusual .npy file sources in pipeline logs.

  6. CI/CD: Add MLX version pinning checks to CI pipelines to prevent regression to vulnerable versions.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Code Execution Data Extraction Framework Training Data AML.T0002.000 AML.T0010.001 AML.T0010.002 AML.T0011.000 AML.T0025 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity for high-risk AI systems Art. 9 - Risk management system Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.1.2 - Information security in AI system development A.6.2 - AI system life cycle — supplier relationships A.8.4 - AI supply chain management
NIST AI RMF
GV-6.1 - Policies for AI risk identification and management of third-party dependencies MANAGE 2.2 - Mechanisms to respond to and recover from AI risks MS-2.5 - Practices and personnel for AI risk management
OWASP LLM Top 10
LLM03 - Training Data Poisoning LLM05:2025 - Supply Chain Vulnerabilities LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-62608?

MLX, Apple's ML framework for Apple Silicon, has a critical heap buffer overflow triggered by malicious NumPy .npy files — no authentication or user interaction required. Any team using MLX to load externally-sourced datasets or model weights on Apple hardware is exposed to heap memory disclosure and potential RCE. Patch to 0.29.4 immediately and audit pipelines that ingest .npy files from untrusted sources.

Is CVE-2025-62608 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-62608, increasing the risk of exploitation.

How to fix CVE-2025-62608?

1. PATCH: Upgrade mlx to >= 0.29.4 via pip immediately — this is a one-line fix with no breaking changes. 2. INVENTORY: Identify all systems running MLX (pip list | grep mlx on Apple Silicon endpoints and CI runners). 3. INPUT VALIDATION: Implement file origin controls — reject .npy files not sourced from trusted, internal artifact registries; add hash verification for dataset files. 4. ISOLATION: Run MLX data loading in sandboxed processes where possible; restrict access to sensitive memory (credentials, keys) in processes that handle external .npy files. 5. DETECTION: Monitor for abnormal crashes in mlx processes, unexpected heap access violations in ML workloads, and unusual .npy file sources in pipeline logs. 6. CI/CD: Add MLX version pinning checks to CI pipelines to prevent regression to vulnerable versions.

What systems are affected by CVE-2025-62608?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, data preprocessing pipelines, model fine-tuning workflows, on-device inference, MLOps CI/CD pipelines.

What is the CVSS score for CVE-2025-62608?

CVE-2025-62608 has a CVSS v3.1 base score of 9.1 (CRITICAL). The EPSS exploitation probability is 0.09%.

Technical Details

NVD Description

MLX is an array framework for machine learning on Apple silicon. Prior to version 0.29.4, there is a heap buffer overflow in mlx::core::load() when parsing malicious NumPy .npy files. Attacker-controlled file causes 13-byte out-of-bounds read, leading to crash or information disclosure. This issue has been patched in version 0.29.4.

Exploitation Scenario

Adversary targets an ML engineering team's data ingestion pipeline. They publish a poisoned NumPy dataset to a public repository (Hugging Face, Kaggle, or GitHub) or compromise an internal data storage bucket. A data scientist or automated training pipeline calls mlx.load() on the malicious .npy file on their Apple Silicon MacBook or M-series Mac mini training node. The crafted file triggers the heap buffer overflow in mlx::core::load(), causing a 13-byte out-of-bounds read that leaks adjacent heap memory — potentially exposing API keys, model weights, or other secrets loaded earlier in the process. In a CI/CD context with automated training jobs, this could be fully unattended exploitation.

Weaknesses (CWE)

CWE-122 Heap-based Buffer Overflow Primary CWE-122

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References

Timeline

Published
November 21, 2025
Last Modified
December 2, 2025
First Seen
November 21, 2025

Related Vulnerabilities

HIGH CVE-2025-62609 7.5

mlx: security flaw enables exploitation

Same package: mlx
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Supply Chain
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Supply Chain
Back to Threat Feed