Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2025-67743 | local-deep-research: SSRF allows internal network access | local-deep-research | 6.3 |
| HIGH | CVE-2025-67748 | fickling: Code Injection enables RCE | fickling | - |
| HIGH | CVE-2025-67747 | fickling: Allowlist Bypass evades input filtering | fickling | - |
| HIGH | CVE-2025-67644 | langgraph-checkpoint-sqlite: SQL Injection exposes database | langgraph-checkpoint-sqlite | 7.3 |
| LOW | CVE-2025-63681 | open-webui: Access Control bypass enables privilege escalation | open-webui | - |
| CRITICAL | CVE-2025-33244 | NVIDIA: Deserialization enables RCE | 9.0 | |
| CRITICAL | CVE-2025-34351 | ray: security flaw enables exploitation | ray | - |
| CRITICAL | CVE-2025-62593 | ray: Code Injection enables RCE | ray | - |
| HIGH | CVE-2025-64495 | Open WebUI: XSS-to-RCE via malicious prompt injection | open-webui | 8.7 |
| HIGH | CVE-2025-64439 | langgraph-checkpoint: Deserialization enables RCE | langgraph-checkpoint | - |
| LOW | CVE-2025-50736 | pdf2zh: security flaw enables exploitation | pdf2zh | - |
| HIGH | CVE-2025-64104 | langgraph-checkpoint-sqlite: SQL Injection exposes database | langgraph-checkpoint-sqlite | 7.3 |
| HIGH | CVE-2025-7707 | llama-index: world-writable NLTK dir allows local tampering | llama-index | 7.1 |
| CRITICAL | GHSA-m9mp-6x32-5rhg | scio/PyTorch: torch.load weights_only bypass RCE | - | |
| MEDIUM | CVE-2025-61620 | vllm: DoS via Jinja template injection in chat API | vllm | 6.5 |
| MEDIUM | CVE-2025-8917 | clearml: path traversal in safe_extract → RCE risk | clearml | 5.8 |
| HIGH | CVE-2025-30402 | ExecuTorch: heap overflow in method load, RCE risk | executorch | 8.1 |
| CRITICAL | CVE-2023-48022 | Ray: unauthenticated RCE via job submission API | ray | 9.8 |
| HIGH | CVE-2025-7647 | llama-index-core: insecure /tmp dir, model theft risk | llama-index-core | 7.3 |
| HIGH | CVE-2025-58757 | MONAI: unsafe pickle deserialization RCE in data pipeline | monai | 8.8 |