Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2025-1753 | llama-index-cli: OS command injection enables RCE | llama-index | 7.8 |
| CRITICAL | CVE-2024-12029 | InvokeAI: RCE via unsafe torch.load deserialization | InvokeAI | 9.8 |
| HIGH | CVE-2025-47783 | Label Studio: XSS enables unauthorized actions via CSRF | label-studio | - |
| HIGH | CVE-2025-1752 | llama_index: DoS via uncapped recursion in web reader | llama-index | 7.5 |
| CRITICAL | CVE-2025-47241 | browser-use: URL allowlist bypass enables SSRF in agents | browser-use | 9.3 |
| CRITICAL | GHSA-ggpf-24jw-3fcw | vLLM: RCE via malicious model, PyTorch < 2.6 bypass | vllm | 9.8 |
| MEDIUM | GHSA-hf3c-wxg2-49q9 | vLLM: DoS via unbounded XGrammar schema cache | vllm | 6.5 |
| CRITICAL | CVE-2025-32428 | jupyter-remote-desktop-proxy: VNC network exposure | jupyter-remote-desktop-proxy | - |
| MEDIUM | CVE-2025-32381 | xgrammar: unbounded grammar cache causes LLM server DoS | xgrammar | 6.5 |
| HIGH | CVE-2024-8984 | litellm: unauthenticated DoS via multipart boundary parsing | litellm | 7.5 |
| MEDIUM | GHSA-v7x6-rv5q-mhwc | picklescan: bypass allows silent RCE in ML pipelines | picklescan | - |
| MEDIUM | GHSA-fj43-3qmq-673f | picklescan: numpy bypass enables RCE in ML model pipelines | picklescan | - |
| HIGH | CVE-2025-46417 | picklescan: scanner bypass enables DNS data exfiltration | picklescan | - |
| HIGH | CVE-2025-30370 | jupyterlab-git: command injection via malicious repo name | jupyterlab-git | 7.4 |
| CRITICAL | CVE-2024-12909 | llama-index finchat: SQL injection enables RCE | llama-index-packs-finchat | 10.0 |
| MEDIUM | CVE-2025-0508 | SageMaker SDK: MD5 collision silently replaces ML workflows | sagemaker | 5.9 |
| HIGH | CVE-2024-6982 | lollms: RCE via eval() sandbox bypass in Calculate | lollms | 8.4 |
| MEDIUM | CVE-2024-7035 | Open WebUI: CSRF wipes RAG DB and AI memories via GET | open-webui | 6.9 |
| MEDIUM | CVE-2024-12910 | llama-index: DoS via infinite recursion in web reader | llama-index | 5.9 |
| HIGH | CVE-2024-8020 | pytorch-lightning: unauthenticated DoS crashes LightningApp | pytorch-lightning | 7.5 |