Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | GHSA-5ccf-884p-4jjq | open-webui: DoS via unauthenticated multipart parsing | open-webui | 7.5 |
| CRITICAL | CVE-2024-9052 | vLLM: RCE via pickle deserialization in distributed API | vllm | 9.8 |
| HIGH | CVE-2024-9606 | LiteLLM: API key leakage in logs exposes credentials | litellm | 7.5 |
| HIGH | CVE-2025-0628 | litellm: privilege escalation viewer→proxy admin via bad API key | litellm | 8.1 |
| HIGH | CVE-2025-0330 | LiteLLM: Langfuse API key leak via error handling | litellm | 7.5 |
| HIGH | CVE-2024-6825 | LiteLLM: RCE via post_call_rules callback injection | litellm | 8.8 |
| HIGH | CVE-2024-10572 | H2O-3: unauthenticated AST parser enables DoS + file write | h2o | 7.5 |
| MEDIUM | CVE-2025-1979 | Ray: Redis password exposed via plaintext logging | ray | 6.4 |
| MEDIUM | CVE-2025-1716 | picklescan: scanner bypass enables supply chain RCE | picklescan | - |
| MEDIUM | CVE-2025-1889 | picklescan: extension bypass enables RCE on model load | picklescan | - |
| CRITICAL | CVE-2025-25362 | spacy-llm: SSTI allows unauthenticated RCE (CVSS 9.8) | spacy-llm | 9.8 |
| CRITICAL | CVE-2023-25574 | JupyterHub LTI13: JWT forgery enables full auth bypass | jupyterhub-ltiauthenticator | 10.0 |
| HIGH | CVE-2025-25297 | Label Studio: SSRF via S3 endpoint exposes internal services | label-studio | 8.6 |
| MEDIUM | CVE-2025-25296 | Label Studio: reflected XSS via label_config param | label-studio | 6.1 |
| HIGH | CVE-2025-25295 | Label Studio SDK: path traversal leaks server filesystem | label-studio-sdk | - |
| MEDIUM | CVE-2024-53526 | Composio: command injection in AI agent tool calls | composio-openai | 6.4 |
| HIGH | CVE-2024-5187 | ONNX: path traversal in model download enables RCE | onnx | 8.8 |
| HIGH | CVE-2024-49048 | TorchGeo: RCE via code injection in geospatial ML lib | torchgeo | 8.1 |
| HIGH | CVE-2025-23205 | nbgrader: Clickjacking exposes formgrader via IFrame | - | |
| CRITICAL | CVE-2023-6021 | Ray: LFI allows unauthenticated file read | ray | 9.3 |