Data Extraction
Data extraction attacks target the information processed or memorised by AI/ML systems. They take three main forms. First, training-data extraction: large language models can memorise verbatim spans of their training corpus, and an attacker who crafts the right prompts can pull back PII, API keys, or copyrighted text — a result demonstrated against GPT-2 by Carlini et al. and reproduced against several production models. Second, model extraction: by repeatedly querying a hosted model and observing outputs, an attacker can reconstruct enough behaviour to clone proprietary fine-tunes. Third, system-prompt and conversation leakage: indirect prompt injection or insecure logging can leak the application's instructions and other users' conversations. Multi-tenant inference platforms (vLLM, Triton, hosted APIs) and RAG systems are particularly exposed. Defenses: output filtering, differential privacy in training, rate limits, and strict tenant isolation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2023-43472 | MLflow: unauth REST API leaks sensitive ML data | mlflow | 7.5 |
| MEDIUM | CVE-2023-6568 | MLflow: reflected XSS via Content-Type header injection | mlflow | 6.1 |
| HIGH | CVE-2023-6709 | MLflow: SSTI enables RCE in ML experiment tracking | mlflow | 8.8 |
| HIGH | CVE-2023-6753 | MLflow: path traversal exposes arbitrary file read/write | mlflow | 8.8 |
| HIGH | CVE-2023-6909 | MLflow: path traversal exposes arbitrary files (no auth) | mlflow | 7.5 |
| CRITICAL | CVE-2024-27132 | MLflow: XSS in recipes enables client-side RCE | mlflow | 9.6 |
| HIGH | CVE-2024-1483 | MLflow: path traversal exposes arbitrary server files | mlflow | 7.5 |
| HIGH | CVE-2024-1558 | MLflow: path traversal enables arbitrary file read | mlflow | 7.5 |
| HIGH | CVE-2024-1593 | MLflow: path traversal via ';' smuggling exposes files | mlflow | 7.5 |
| HIGH | CVE-2024-1594 | MLflow: path traversal via URI fragment reads arbitrary files | mlflow | 7.5 |
| CRITICAL | CVE-2024-3573 | MLflow: LFI via URI parsing allows arbitrary file read | mlflow | 9.3 |
| HIGH | CVE-2024-3848 | MLflow: URL fragment bypass leaks SSH and cloud keys | mlflow | 7.5 |
| HIGH | CVE-2024-2928 | MLflow: URI fragment LFI exposes arbitrary files | mlflow | 7.5 |
| HIGH | CVE-2024-8859 | MLflow: path traversal allows arbitrary file read via DBFS | mlflow | 7.5 |
| HIGH | CVE-2025-1473 | MLflow: CSRF in signup allows rogue account creation | mlflow | 7.1 |
| MEDIUM | CVE-2025-52967 | MLflow: unauthenticated SSRF in gateway proxy | mlflow | 5.8 |
| CRITICAL | CVE-2025-11200 | mlflow: security flaw enables exploitation | mlflow | 9.8 |
| HIGH | CVE-2025-14279 | mlflow: security flaw enables exploitation | mlflow | 8.1 |
| CRITICAL | CVE-2026-2654 | smolagents: SSRF allows internal network access | smolagents | 9.8 |
| HIGH | CVE-2025-33213 | NVIDIA: Deserialization enables RCE | 8.8 |