Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2024-6587 | LiteLLM: SSRF leaks OpenAI API key to attacker | litellm | 7.5 |
| HIGH | CVE-2024-32965 | Lobe Chat: pre-auth SSRF leaks OpenAI API keys | 8.6 | |
| UNKNOWN | CVE-2024-56516 | free-one-api: MD5 hashing allows credential cracking | - | |
| MEDIUM | CVE-2025-29770 | vLLM: DoS via unbounded grammar cache exhausts disk | vllm | 6.5 |
| UNKNOWN | CVE-2024-11037 | gpt_academic: path traversal exposes LLM API keys | gpt_academic | - |
| UNKNOWN | CVE-2024-12775 | Dify: SSRF via custom tool URL enables credential theft | - | |
| HIGH | CVE-2024-7959 | Open-WebUI: SSRF via unchecked OpenAI URL leaks internal secrets | open-webui | 7.7 |
| CRITICAL | CVE-2025-59434 | Flowise Cloud: cross-tenant env var exposure leaks API keys | 9.6 | |
| HIGH | CVE-2025-65098 | typebot: XSS enables session hijacking | 7.4 | |
| CRITICAL | CVE-2024-12366 | PandasAI: prompt injection enables unauthenticated RCE | 9.8 | |
| UNKNOWN | CVE-2024-10950 | gpt_academic: RCE via unsandboxed prompt injection | gpt_academic | - |
| HIGH | CVE-2024-12911 | llama-index: SQLi+DoS via prompt injection in query engine | llamaindex | 7.1 |
| HIGH | CVE-2025-66404 | mcp-server-kubernetes: Command Injection enables RCE | 8.8 | |
| HIGH | CVE-2021-43831 | Gradio: path traversal exposes host filesystem to users | gradio | 7.7 |
| HIGH | CVE-2022-24770 | Gradio: CSV formula injection via flagging enables RCE | gradio | 8.8 |
| CRITICAL | CVE-2023-25823 | Gradio: hardcoded SSH key leaks via share=True demos | gradio | 9.8 |
| CRITICAL | CVE-2023-34239 | Gradio: path traversal + SSRF exposes model files & infra | gradio | 9.1 |
| HIGH | CVE-2023-51449 | Gradio: path traversal grants arbitrary file read | gradio | 7.5 |
| HIGH | CVE-2024-34072 | SageMaker SDK: pickle deserialization enables RCE | 7.8 | |
| CRITICAL | CVE-2024-34359 | llama-cpp-python: SSTI in .gguf loader enables RCE | 9.6 |