Data Extraction
Data extraction attacks target the information processed or memorised by AI/ML systems. They take three main forms. First, training-data extraction: large language models can memorise verbatim spans of their training corpus, and an attacker who crafts the right prompts can pull back PII, API keys, or copyrighted text — a result demonstrated against GPT-2 by Carlini et al. and reproduced against several production models. Second, model extraction: by repeatedly querying a hosted model and observing outputs, an attacker can reconstruct enough behaviour to clone proprietary fine-tunes. Third, system-prompt and conversation leakage: indirect prompt injection or insecure logging can leak the application's instructions and other users' conversations. Multi-tenant inference platforms (vLLM, Triton, hosted APIs) and RAG systems are particularly exposed. Defenses: output filtering, differential privacy in training, rate limits, and strict tenant isolation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| LOW | GHSA-r7w7-9xr2-qq2r | langchain-openai: SSRF DNS rebinding, blind network probe | langchain-openai | 3.1 |
| MEDIUM | GHSA-fv5p-p927-qmxr | langchain-text-splitters: SSRF bypass exposes cloud metadata | langchain-text-splitters | 6.5 |
| HIGH | GHSA-gqqj-85qm-8qhf | paperclipai: connector trust bypass enables Gmail read/write | paperclipai | 8.7 |
| HIGH | GHSA-w8hx-hqjv-vjcq | Paperclip: RCE via workspace runtime command injection | @paperclipai/server | 7.3 |
| HIGH | GHSA-f6hc-c5jr-878p | Flowise: auth bypass enables account takeover via null token | flowise | - |
| HIGH | GHSA-28g4-38q8-3cwc | Flowise: Cypher injection allows full Neo4j DB wipe | flowise-components | - |
| HIGH | GHSA-x5w6-38gp-mrqh | Flowise: HTTP reset link exposes tokens to MITM takeover | flowise | - |
| HIGH | GHSA-6f7g-v4pp-r667 | Flowise: OAuth token theft via unauthenticated endpoint | flowise | - |
| HIGH | GHSA-6r77-hqx7-7vw8 | FlowiseAI: SSRF via prompt injection in API Chain | flowise-components | 7.1 |
| HIGH | GHSA-2x8m-83vc-6wv4 | Flowise: SSRF bypass exposes internal services | flowise-components | 7.1 |
| HIGH | GHSA-xhmj-rg95-44hv | Flowise: SSRF bypass exposes cloud IAM credentials | flowise-components | 7.1 |
| HIGH | GHSA-cvrr-qhgw-2mm6 | Flowise: unauthenticated RCE via FILE-STORAGE bypass | flowise-components | 7.7 |
| HIGH | GHSA-4jpm-cgx2-8h37 | Flowise: unauth API exposes plaintext API keys and tokens | flowise | - |
| HIGH | GHSA-48m6-ch88-55mj | Flowise: Mass Assignment allows cross-tenant org takeover | flowise | 8.1 |
| HIGH | GHSA-f228-chmx-v6j6 | Flowise: prompt injection RCE via AirtableAgent | flowise-components | 8.3 |
| MEDIUM | GHSA-9hrv-gvrv-6gf2 | Flowise: SSRF bypass enables cloud metadata access | flowise-components | - |
| MEDIUM | GHSA-qqvm-66q4-vf5c | Flowise: SSRF bypass enables cloud credential theft | flowise-components | - |
| MEDIUM | GHSA-m7mq-85xj-9x33 | Flowise: hardcoded default key enables JWT token forgery | flowise | 5.6 |
| MEDIUM | GHSA-2qqc-p94c-hxwh | Flowise: hardcoded session secret enables auth bypass | flowise | 5.6 |
| MEDIUM | GHSA-cc4f-hjpj-g9p8 | Flowise: hardcoded JWT defaults enable full auth bypass | flowise | 5.6 |