AI Threat Alert
Data Leakage
Data leakage in AI systems happens at three layers. At training time, models can memorise rare strings from their corpus — phone numbers, passwords, API keys committed to public code — and an attacker who knows the right context can prompt the model to regurgitate them. At inference time, applications often pass sensitive context to third-party APIs (OpenAI, Anthropic, Bedrock) without redaction; this content is then potentially logged, retained, or used to improve future models depending on the vendor's terms. At the application layer, multi-tenant deployments routinely leak across users when caching, logging, or vector-store indexing is misconfigured. Indirect prompt injection compounds all three by giving an attacker a way to ask the model to repeat what it should not. Defenses: PII redaction in prompts and outputs, differential privacy in training, vendor data-use review, and strict tenant boundaries in shared infrastructure.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2024-0520 | MLflow: path traversal enables RCE via dataset loading | mlflow | 8.8 |
| HIGH | CVE-2024-8859 | MLflow: path traversal allows arbitrary file read via DBFS | mlflow | 7.5 |
| HIGH | CVE-2025-14279 | mlflow: security flaw enables exploitation | mlflow | 8.1 |
| CRITICAL | CVE-2025-5120 | smolagents: sandbox escape enables unauthenticated RCE | smolagents | 10.0 |
| MEDIUM | CVE-2021-28796 | Qiita::Markdown: XSS in transformer components | 6.1 | |
| LOW | CVE-2025-3777 | Transformers: URL validation bypass exposes image pipeline | transformers | 3.5 |
| LOW | CVE-2025-25183 | vLLM: hash collision enables prefix cache poisoning | vllm | 2.6 |
| LOW | CVE-2025-1953 | vLLM AIBrix: weak hash in prefix cache leaks inference patterns | 2.6 | |
| HIGH | CVE-2025-30202 | vLLM: ZeroMQ socket exposure enables DoS in multi-node | vllm | 7.5 |
| HIGH | CVE-2025-46722 | vLLM: image hash collision enables multimodal cache leakage | vllm | 7.3 |
| CRITICAL | CVE-2026-22778 | vllm: security flaw enables exploitation | vllm | 9.8 |
| HIGH | CVE-2024-39722 | Ollama: path traversal exposes server filesystem | ollama | 7.5 |
| MEDIUM | CVE-2025-44779 | Ollama: arbitrary file deletion via /api/pull | ollama | 6.6 |
| CRITICAL | CVE-2024-0964 | Gradio: unauthenticated LFI exposes full server filesystem | gradio | 9.4 |
| UNKNOWN | CVE-2024-1561 | Gradio: path traversal enables arbitrary file read | gradio | - |
| HIGH | CVE-2024-34510 | Gradio: credential leakage via Windows path encoding bug | gradio | 7.5 |
| HIGH | CVE-2024-4941 | Gradio: LFI via JSON path key exposes server files | gradio | 7.5 |
| CRITICAL | CVE-2024-3234 | ChuanhuChatGPT: path traversal exposes LLM API keys | chuanhuchatgpt | 9.8 |
| HIGH | CVE-2024-47084 | Gradio: CORS bypass exposes local instances to credential theft | gradio | 8.3 |
| MEDIUM | CVE-2024-47166 | Gradio: path traversal leaks custom component source | gradio | 5.3 |