Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2024-12720 | Transformers: ReDoS in Nougat tokenizer causes DoS | transformers | 7.5 |
| MEDIUM | CVE-2025-1194 | transformers: ReDoS in GPT-NeoX Japanese tokenizer | transformers | 6.5 |
| HIGH | CVE-2025-2099 | transformers: ReDoS in testing_utils causes DoS | transformers | 7.5 |
| HIGH | CVE-2025-3262 | Transformers: ReDoS in chat.py causes CPU exhaustion | transformers | 7.5 |
| CRITICAL | CVE-2025-5120 | smolagents: sandbox escape enables unauthenticated RCE | smolagents | 10.0 |
| HIGH | CVE-2026-0599 | text-generation: DoS causes service disruption | text-generation | 7.5 |
| CRITICAL | CVE-2026-2654 | smolagents: SSRF allows internal network access | smolagents | 9.8 |
| MEDIUM | CVE-2021-28796 | Qiita::Markdown: XSS in transformer components | 6.1 | |
| HIGH | CVE-2024-21799 | Intel Extension for Transformers: path traversal privesc | 7.1 | |
| HIGH | CVE-2024-11392 | HuggingFace Transformers: RCE via config deserialization | transformers | 8.8 |
| HIGH | CVE-2024-11393 | Transformers: RCE via MaskFormer model deserialization | transformers | 8.8 |
| HIGH | CVE-2024-11394 | Transformers: RCE via Trax model deserialization | transformers | 8.8 |
| MEDIUM | CVE-2025-3263 | Transformers: ReDoS in config loader causes serving DoS | transformers | 5.3 |
| MEDIUM | CVE-2025-3264 | Transformers: ReDoS in dynamic module loader causes DoS | transformers | 5.3 |
| LOW | CVE-2025-3777 | Transformers: URL validation bypass exposes image pipeline | transformers | 3.5 |
| MEDIUM | CVE-2025-3933 | Transformers: ReDoS in DonutProcessor causes DoS | transformers | 5.3 |
| HIGH | CVE-2025-23298 | Merlin Transformers4Rec: code injection via Python dep | 7.8 | |
| HIGH | CVE-2025-6638 | HuggingFace Transformers: ReDoS in MarianTokenizer | transformers | 7.5 |
| MEDIUM | CVE-2025-6051 | Transformers: ReDoS in EnglishNormalizer exhausts CPU | transformers | 5.3 |
| HIGH | CVE-2025-33213 | NVIDIA: Deserialization enables RCE | 8.8 |