CVE-2025-62609: MLX security flaw enables

CISO Take

If your team runs local LLM inference on Apple silicon using MLX and loads GGUF model files from any external or user-controlled source, this is a direct DoS vector requiring immediate patching. Upgrade to MLX 0.29.4 now. The combination of network-reachable attack surface, zero privileges required, and no user interaction makes this trivially weaponizable against any service that accepts or fetches GGUF model files.

What is the risk?

CVSS 7.5 HIGH with AV:N/AC:L/PR:N/UI:N puts this in the easy-to-exploit category for DoS. However, EPSS is extremely low (0.00116) and the vulnerability is not in CISA KEV, indicating no observed exploitation in the wild. Real-world risk is bounded by MLX adoption: primarily Apple silicon Mac deployments and developer workstations running local inference. Organizations serving MLX-based inference via API endpoints that accept external model files face the highest exposure. Confidentiality and integrity are unaffected — this is a pure availability vulnerability.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
MLX	pip	—	No patch
27.2K 318 dependents Pushed 3d ago 50% patched ~11d to patch Full package profile →
MLX	pip	<= 0.29.3	`0.29.4`
27.2K 318 dependents Pushed 3d ago 50% patched ~11d to patch Full package profile →

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 24% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

What should I do?

6 steps

PATCH

Upgrade mlx pip package to >= 0.29.4 immediately.
INVENTORY

Identify all deployments using mlx on Apple silicon — dev laptops, build servers, inference endpoints.
WORKAROUND (pre-patch): Restrict GGUF file ingestion to trusted, integrity-verified sources only; implement SHA-256 hash verification against known-good manifests before loading.
SANDBOX

Run model loading in an isolated subprocess or container to limit blast radius of a crash.
DETECT

Alert on abnormal process termination in MLX-based services; monitor for repeated crash loops as a potential exploitation signal.
SUPPLY CHAIN

Audit any automated pipelines that pull GGUF files from public model registries — these are the primary delivery vector for malicious model files.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Supply Chain Framework Model AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application AML.T0076 - Corrupt AI Model

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.4 - AI system supply chain risk management A.6.2 - AI system risk management A.8.5 - Data and model validation A.9.3 - AI system robustness and resilience

NIST AI RMF

GOVERN-6.1 - Policies and procedures for AI supply chain risk MANAGE 2.2 - Mechanisms for treatment of identified AI risks MANAGE-2.2 - AI risk treatments are applied and monitored

OWASP LLM Top 10

LLM04 - Model Denial of Service LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-62609?

If your team runs local LLM inference on Apple silicon using MLX and loads GGUF model files from any external or user-controlled source, this is a direct DoS vector requiring immediate patching. Upgrade to MLX 0.29.4 now. The combination of network-reachable attack surface, zero privileges required, and no user interaction makes this trivially weaponizable against any service that accepts or fetches GGUF model files.

Is CVE-2025-62609 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-62609, increasing the risk of exploitation.

How to fix CVE-2025-62609?

1. PATCH: Upgrade mlx pip package to >= 0.29.4 immediately. 2. INVENTORY: Identify all deployments using mlx on Apple silicon — dev laptops, build servers, inference endpoints. 3. WORKAROUND (pre-patch): Restrict GGUF file ingestion to trusted, integrity-verified sources only; implement SHA-256 hash verification against known-good manifests before loading. 4. SANDBOX: Run model loading in an isolated subprocess or container to limit blast radius of a crash. 5. DETECT: Alert on abnormal process termination in MLX-based services; monitor for repeated crash loops as a potential exploitation signal. 6. SUPPLY CHAIN: Audit any automated pipelines that pull GGUF files from public model registries — these are the primary delivery vector for malicious model files.

What systems are affected by CVE-2025-62609?

This vulnerability affects the following AI/ML architecture patterns: local inference pipelines, model serving, training pipelines, developer workstations, automated model download/validation pipelines.

What is the CVSS score for CVE-2025-62609?

CVE-2025-62609 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.33%.

What is the AI security impact?

Affected AI Architectures

local inference pipelinesmodel servingtraining pipelinesdeveloper workstationsautomated model download/validation pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0029 Denial of AI Service

AML.T0049 Exploit Public-Facing Application

AML.T0076 Corrupt AI Model

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.1.4, A.6.2, A.8.5, A.9.3

NIST AI RMF: GOVERN-6.1, MANAGE 2.2, MANAGE-2.2

OWASP LLM Top 10: LLM04, LLM05:2025

What are the technical details?

Original Advisory

MLX is an array framework for machine learning on Apple silicon. Prior to version 0.29.4, there is a segmentation fault in mlx::core::load_gguf() when loading malicious GGUF files. Untrusted pointer from external gguflib library is dereferenced without validation, causing application crash. This issue has been patched in version 0.29.4.

Exploitation Scenario

An adversary crafts a GGUF file with a manipulated metadata pointer in the gguflib-parsed structure. When mlx::core::load_gguf() processes the file, it dereferences the untrusted pointer directly without bounds or null validation, triggering a segmentation fault. Delivery vectors: (1) Upload malicious GGUF to HuggingFace or a community repo; developers or automated pipelines download and load it. (2) Serve the malicious file from a compromised or attacker-controlled model registry URL. (3) Man-in-the-middle HTTP model downloads to inject a malformed GGUF in transit. No authentication, special permissions, or user clicks required — any code path that calls load_gguf() on attacker-supplied data is vulnerable.

Weaknesses (CWE)

CWE-476 NULL Pointer Dereference Primary CWE-476 NULL Pointer Dereference

CWE-476 — NULL Pointer Dereference: The product dereferences a pointer that it expects to be valid but is NULL.

[Implementation] For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
[Requirements] Select a programming language that is not susceptible to these issues.

Source: MITRE CWE corpus.