Data Extraction
Data extraction attacks target the information processed or memorised by AI/ML systems. They take three main forms. First, training-data extraction: large language models can memorise verbatim spans of their training corpus, and an attacker who crafts the right prompts can pull back PII, API keys, or copyrighted text — a result demonstrated against GPT-2 by Carlini et al. and reproduced against several production models. Second, model extraction: by repeatedly querying a hosted model and observing outputs, an attacker can reconstruct enough behaviour to clone proprietary fine-tunes. Third, system-prompt and conversation leakage: indirect prompt injection or insecure logging can leak the application's instructions and other users' conversations. Multi-tenant inference platforms (vLLM, Triton, hosted APIs) and RAG systems are particularly exposed. Defenses: output filtering, differential privacy in training, rate limits, and strict tenant isolation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2025-47241 | browser-use: URL allowlist bypass enables SSRF in agents | browser-use | 9.3 |
| HIGH | CVE-2025-46417 | picklescan: scanner bypass enables DNS data exfiltration | picklescan | - |
| CRITICAL | CVE-2024-12909 | llama-index finchat: SQL injection enables RCE | llama-index-packs-finchat | 10.0 |
| HIGH | CVE-2024-7990 | open-webui: Stored XSS enables admin session hijack | open-webui | 8.4 |
| HIGH | CVE-2024-8060 | OpenWebUI: path traversal RCE via audio upload API | open-webui | 8.1 |
| HIGH | CVE-2024-7053 | open-webui: XSS enables admin session hijack via chat | open-webui | 7.6 |
| MEDIUM | CVE-2024-7046 | Open WebUI: missing authz leaks admin credentials | open-webui | 4.3 |
| HIGH | CVE-2024-7039 | open-webui: Privilege bypass enables admin account deletion | open-webui | 8.3 |
| MEDIUM | CVE-2024-7044 | Open WebUI: Stored XSS via file upload, session hijack | open-webui | 6.8 |
| HIGH | CVE-2024-7043 | Open WebUI: auth bypass exposes all user files | open-webui | 8.1 |
| HIGH | CVE-2024-9606 | LiteLLM: API key leakage in logs exposes credentials | litellm | 7.5 |
| HIGH | CVE-2025-0628 | litellm: privilege escalation viewer→proxy admin via bad API key | litellm | 8.1 |
| HIGH | CVE-2025-0330 | LiteLLM: Langfuse API key leak via error handling | litellm | 7.5 |
| MEDIUM | CVE-2025-1979 | Ray: Redis password exposed via plaintext logging | ray | 6.4 |
| CRITICAL | CVE-2025-25362 | spacy-llm: SSTI allows unauthenticated RCE (CVSS 9.8) | spacy-llm | 9.8 |
| HIGH | CVE-2025-25297 | Label Studio: SSRF via S3 endpoint exposes internal services | label-studio | 8.6 |
| MEDIUM | CVE-2025-25296 | Label Studio: reflected XSS via label_config param | label-studio | 6.1 |
| HIGH | CVE-2025-25295 | Label Studio SDK: path traversal leaks server filesystem | label-studio-sdk | - |
| HIGH | CVE-2025-23205 | nbgrader: Clickjacking exposes formgrader via IFrame | - | |
| CRITICAL | CVE-2023-6021 | Ray: LFI allows unauthenticated file read | ray | 9.3 |