AI Threat Alert AI Threat Alert

CVE-2025-62609: mlx: security flaw enables exploitation

GHSA-j842-xgm4-wf88 HIGH PoC AVAILABLE CISA: TRACK*
Published November 21, 2025
CISO Take

If your team runs local LLM inference on Apple silicon using MLX and loads GGUF model files from any external or user-controlled source, this is a direct DoS vector requiring immediate patching. Upgrade to MLX 0.29.4 now. The combination of network-reachable attack surface, zero privileges required, and no user interaction makes this trivially weaponizable against any service that accepts or fetches GGUF model files.

Risk Assessment

CVSS 7.5 HIGH with AV:N/AC:L/PR:N/UI:N puts this in the easy-to-exploit category for DoS. However, EPSS is extremely low (0.00116) and the vulnerability is not in CISA KEV, indicating no observed exploitation in the wild. Real-world risk is bounded by MLX adoption: primarily Apple silicon Mac deployments and developer workstations running local inference. Organizations serving MLX-based inference via API endpoints that accept external model files face the highest exposure. Confidentiality and integrity are unaffected — this is a pure availability vulnerability.

Affected Systems

Package Ecosystem Vulnerable Range Patched
mlx pip No patch
25.9K 283 dependents Pushed 11d ago 50% patched ~11d to patch Full package profile →
mlx pip <= 0.29.3 0.29.4
25.9K 283 dependents Pushed 11d ago 50% patched ~11d to patch Full package profile →

Severity & Risk

CVSS 3.1
7.5 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 27% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

Recommended Action

6 steps

  1. PATCH

    Upgrade mlx pip package to >= 0.29.4 immediately.

  2. INVENTORY

    Identify all deployments using mlx on Apple silicon — dev laptops, build servers, inference endpoints.

  3. WORKAROUND (pre-patch): Restrict GGUF file ingestion to trusted, integrity-verified sources only; implement SHA-256 hash verification against known-good manifests before loading.

  4. SANDBOX

    Run model loading in an isolated subprocess or container to limit blast radius of a crash.

  5. DETECT

    Alert on abnormal process termination in MLX-based services; monitor for repeated crash loops as a potential exploitation signal.

  6. SUPPLY CHAIN

    Audit any automated pipelines that pull GGUF files from public model registries — these are the primary delivery vector for malicious model files.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Supply Chain Framework Model AML.T0010.001 AML.T0011.000 AML.T0029 AML.T0049 AML.T0076

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.1.4 - AI system supply chain risk management A.6.2 - AI system risk management A.8.5 - Data and model validation A.9.3 - AI system robustness and resilience
NIST AI RMF
GOVERN-6.1 - Policies and procedures for AI supply chain risk MANAGE 2.2 - Mechanisms for treatment of identified AI risks MANAGE-2.2 - AI risk treatments are applied and monitored
OWASP LLM Top 10
LLM04 - Model Denial of Service LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-62609?

If your team runs local LLM inference on Apple silicon using MLX and loads GGUF model files from any external or user-controlled source, this is a direct DoS vector requiring immediate patching. Upgrade to MLX 0.29.4 now. The combination of network-reachable attack surface, zero privileges required, and no user interaction makes this trivially weaponizable against any service that accepts or fetches GGUF model files.

Is CVE-2025-62609 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-62609, increasing the risk of exploitation.

How to fix CVE-2025-62609?

1. PATCH: Upgrade mlx pip package to >= 0.29.4 immediately. 2. INVENTORY: Identify all deployments using mlx on Apple silicon — dev laptops, build servers, inference endpoints. 3. WORKAROUND (pre-patch): Restrict GGUF file ingestion to trusted, integrity-verified sources only; implement SHA-256 hash verification against known-good manifests before loading. 4. SANDBOX: Run model loading in an isolated subprocess or container to limit blast radius of a crash. 5. DETECT: Alert on abnormal process termination in MLX-based services; monitor for repeated crash loops as a potential exploitation signal. 6. SUPPLY CHAIN: Audit any automated pipelines that pull GGUF files from public model registries — these are the primary delivery vector for malicious model files.

What systems are affected by CVE-2025-62609?

This vulnerability affects the following AI/ML architecture patterns: local inference pipelines, model serving, training pipelines, developer workstations, automated model download/validation pipelines.

What is the CVSS score for CVE-2025-62609?

CVE-2025-62609 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.10%.

Technical Details

NVD Description

MLX is an array framework for machine learning on Apple silicon. Prior to version 0.29.4, there is a segmentation fault in mlx::core::load_gguf() when loading malicious GGUF files. Untrusted pointer from external gguflib library is dereferenced without validation, causing application crash. This issue has been patched in version 0.29.4.

Exploitation Scenario

An adversary crafts a GGUF file with a manipulated metadata pointer in the gguflib-parsed structure. When mlx::core::load_gguf() processes the file, it dereferences the untrusted pointer directly without bounds or null validation, triggering a segmentation fault. Delivery vectors: (1) Upload malicious GGUF to HuggingFace or a community repo; developers or automated pipelines download and load it. (2) Serve the malicious file from a compromised or attacker-controlled model registry URL. (3) Man-in-the-middle HTTP model downloads to inject a malformed GGUF in transit. No authentication, special permissions, or user clicks required — any code path that calls load_gguf() on attacker-supplied data is vulnerable.

Weaknesses (CWE)

CWE-476 NULL Pointer Dereference Primary CWE-476

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
November 21, 2025
Last Modified
December 2, 2025
First Seen
November 21, 2025

Related Vulnerabilities

CRITICAL CVE-2025-62608 9.1

mlx: security flaw enables exploitation

Same package: mlx
CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same attack type: Supply Chain
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Supply Chain
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Supply Chain
CRITICAL CVE-2024-2912 10.0

BentoML: RCE via insecure deserialization (CVSS 10)

Same attack type: Supply Chain
Back to Threat Feed