Data Extraction
Data extraction attacks target the information processed or memorised by AI/ML systems. They take three main forms. First, training-data extraction: large language models can memorise verbatim spans of their training corpus, and an attacker who crafts the right prompts can pull back PII, API keys, or copyrighted text — a result demonstrated against GPT-2 by Carlini et al. and reproduced against several production models. Second, model extraction: by repeatedly querying a hosted model and observing outputs, an attacker can reconstruct enough behaviour to clone proprietary fine-tunes. Third, system-prompt and conversation leakage: indirect prompt injection or insecure logging can leak the application's instructions and other users' conversations. Multi-tenant inference platforms (vLLM, Triton, hosted APIs) and RAG systems are particularly exposed. Defenses: output filtering, differential privacy in training, rate limits, and strict tenant isolation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2024-47872 | Gradio: stored XSS via malicious file upload | gradio | 5.4 |
| MEDIUM | CVE-2024-48052 | Gradio: SSRF in DownloadButton exposes internal resources | gradio | 6.5 |
| MEDIUM | CVE-2024-51751 | Gradio: path traversal exposes arbitrary server files | gradio | 6.5 |
| UNKNOWN | CVE-2024-10707 | ChuanhuChatGPT: path traversal exposes server files unauthed | chuanhuchatgpt | - |
| HIGH | CVE-2024-11030 | GPT Academic: SSRF via unsanitized HotReload plugin | gpt_academic | 7.5 |
| HIGH | CVE-2024-11031 | GPT Academic: SSRF in Markdown plugin leaks credentials | gpt_academic | 7.5 |
| UNKNOWN | CVE-2024-12065 | LLaVA: path traversal allows arbitrary file read | - | |
| MEDIUM | CVE-2024-12217 | Gradio: NTFS ADS bypass exposes blocked file paths | gradio | 5.3 |
| MEDIUM | CVE-2022-35918 | Streamlit: path traversal leaks server filesystem | streamlit | 6.5 |
| CRITICAL | CVE-2024-41113 | streamlit-geospatial: RCE via eval() in Timelapse page | streamlit-geospatial | 9.8 |
| CRITICAL | CVE-2024-41114 | streamlit-geospatial: RCE via eval() on palette input | streamlit-geospatial | 9.8 |
| CRITICAL | CVE-2024-41115 | streamlit-geospatial: eval() injection enables RCE | streamlit-geospatial | 9.8 |
| CRITICAL | CVE-2024-41118 | streamlit-geospatial: blind SSRF via WMS URL input | streamlit-geospatial | 9.8 |
| CRITICAL | CVE-2024-41120 | streamlit-geospatial: blind SSRF via unvalidated URL input | streamlit-geospatial | 9.8 |
| HIGH | CVE-2024-45848 | MindsDB: RCE via eval() injection in ChromaDB INSERT | 8.8 | |
| UNKNOWN | CVE-2025-34072 | Slack MCP: zero-click exfiltration via link unfurling | - | |
| UNKNOWN | CVE-2025-66479 | Anthropic: Protection Bypass circumvents security controls | - | |
| HIGH | CVE-2026-21852 | claude_code: Weak Credentials allow account compromise | claude_code | 7.5 |
| MEDIUM | CVE-2025-11844 | smolagents: security flaw enables exploitation | smolagents | 5.4 |
| MEDIUM | CVE-2025-12695 | dspy: security flaw enables exploitation | dspy | 5.9 |