CVE-2025-62609 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

If your team runs local LLM inference on Apple silicon using MLX and loads GGUF model files from any external or user-controlled source, this is a direct DoS vector requiring immediate patching. Upgrade to MLX 0.29.4 now. The combination of network-reachable attack surface, zero privileges required, and no user interaction makes this trivially weaponizable against any service that accepts or fetches GGUF model files.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlx	pip	<= 0.29.3	`0.29.4`
mlx	pip	—	No patch

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1. PATCH: Upgrade mlx pip package to >= 0.29.4 immediately. 2. INVENTORY: Identify all deployments using mlx on Apple silicon — dev laptops, build servers, inference endpoints. 3. WORKAROUND (pre-patch): Restrict GGUF file ingestion to trusted, integrity-verified sources only; implement SHA-256 hash verification against known-good manifests before loading. 4. SANDBOX: Run model loading in an isolated subprocess or container to limit blast radius of a crash. 5. DETECT: Alert on abnormal process termination in MLX-based services; monitor for repeated crash loops as a potential exploitation signal. 6. SUPPLY CHAIN: Audit any automated pipelines that pull GGUF files from public model registries — these are the primary delivery vector for malicious model files.

Classification

DoS Supply Chain Framework Model AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application AML.T0076 - Corrupt AI Model

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.4 - AI system supply chain risk management A.6.2 - AI system risk management A.8.5 - Data and model validation A.9.3 - AI system robustness and resilience

NIST AI RMF

GOVERN-6.1 - Policies and procedures for AI supply chain risk MANAGE 2.2 - Mechanisms for treatment of identified AI risks MANAGE-2.2 - AI risk treatments are applied and monitored

OWASP LLM Top 10

LLM04 - Model Denial of Service LLM05:2025 - Supply Chain Vulnerabilities

Technical Details

NVD Description

MLX is an array framework for machine learning on Apple silicon. Prior to version 0.29.4, there is a segmentation fault in mlx::core::load_gguf() when loading malicious GGUF files. Untrusted pointer from external gguflib library is dereferenced without validation, causing application crash. This issue has been patched in version 0.29.4.

Exploitation Scenario

An adversary crafts a GGUF file with a manipulated metadata pointer in the gguflib-parsed structure. When mlx::core::load_gguf() processes the file, it dereferences the untrusted pointer directly without bounds or null validation, triggering a segmentation fault. Delivery vectors: (1) Upload malicious GGUF to HuggingFace or a community repo; developers or automated pipelines download and load it. (2) Serve the malicious file from a compromised or attacker-controlled model registry URL. (3) Man-in-the-middle HTTP model downloads to inject a malformed GGUF in transit. No authentication, special permissions, or user clicks required — any code path that calls load_gguf() on attacker-supplied data is vulnerable.

Weaknesses (CWE)

CWE-476 NULL Pointer Dereference Primary CWE-476

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published

November 21, 2025

Last Modified

December 2, 2025

First Seen

November 21, 2025