AI Threat Alert
API
AI APIs are the boundary between the application and the model. Self-hosted inference servers (vLLM, Triton, Ollama, TGI) and third-party gateways (LiteLLM, OpenRouter) expose OpenAI-compatible endpoints, and the same web-app vulnerability classes appear here: missing or weak authentication on /v1/chat/completions, broken authorization between tenants, lack of rate limiting that lets an attacker drain quota or burn GPU time, and overly permissive CORS that leaks API keys from browser-side calls. The blast radius is unusual: a single auth-bypass on an inference endpoint exposes both data and compute, and in the case of paid hosted models, directly costs money. We have seen production CVEs across most popular self-hosted servers in the last 18 months. Defenses: require auth on every endpoint, per-tenant rate limits, separate key scopes for read vs admin, and pin server versions aggressively.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| UNKNOWN | CVE-2024-1561 | Gradio: path traversal enables arbitrary file read | gradio | - |
| HIGH | CVE-2024-34510 | Gradio: credential leakage via Windows path encoding bug | gradio | 7.5 |
| CRITICAL | CVE-2024-4253 | Gradio: CI/CD command injection enables secrets exfiltration | gradio | 9.1 |
| CRITICAL | CVE-2024-3234 | ChuanhuChatGPT: path traversal exposes LLM API keys | chuanhuchatgpt | 9.8 |
| MEDIUM | CVE-2024-47165 | Gradio: CORS null origin bypass leaks auth tokens | gradio | 5.4 |
| LOW | CVE-2024-47869 | Gradio: timing attack exposes analytics dashboard auth | gradio | 3.7 |
| CRITICAL | CVE-2024-47871 | Gradio: cleartext MITM exposes ML demo data via share=True | gradio | 9.1 |
| UNKNOWN | CVE-2024-10650 | ChuanhuChatGPT: DoS via multipart payload exhaustion | chuanhuchatgpt | - |
| UNKNOWN | CVE-2024-10707 | ChuanhuChatGPT: path traversal exposes server files unauthed | chuanhuchatgpt | - |
| MEDIUM | CVE-2024-12217 | Gradio: NTFS ADS bypass exposes blocked file paths | gradio | 5.3 |
| MEDIUM | CVE-2024-8021 | Gradio: open redirect exposes AI demo users to phishing | gradio | 6.1 |
| UNKNOWN | CVE-2025-0187 | Gradio: DoS via oversized upload filename | gradio | - |
| CRITICAL | CVE-2024-41118 | streamlit-geospatial: blind SSRF via WMS URL input | streamlit-geospatial | 9.8 |
| CRITICAL | CVE-2024-41120 | streamlit-geospatial: blind SSRF via unvalidated URL input | streamlit-geospatial | 9.8 |
| MEDIUM | CVE-2024-42474 | Streamlit: path traversal leaks Windows NTLM hash | streamlit | 6.5 |
| UNKNOWN | CVE-2025-34072 | Slack MCP: zero-click exfiltration via link unfurling | - | |
| UNKNOWN | CVE-2025-66479 | Anthropic: Protection Bypass circumvents security controls | - | |
| HIGH | CVE-2026-0621 | mcp_typescript_sdk: security flaw enables exploitation | 7.5 | |
| HIGH | CVE-2026-21852 | claude_code: Weak Credentials allow account compromise | claude_code | 7.5 |
| MEDIUM | CVE-2025-63390 | anythingllm: Missing Auth allows unauthenticated access | 5.3 |