AI Threat Alert
Model
The model itself is an attack surface separate from the code that runs it. The model file is the first concern: pickle-based formats (PyTorch .bin, joblib, older HuggingFace) execute arbitrary code on load, so loading an untrusted model is loading untrusted code; safetensors solves this but adoption is incomplete. The model's behaviour is the second concern: adversarial examples bypass classifiers used as security controls, backdoor patterns planted during training survive deployment unless explicitly tested for, and model-extraction queries can clone proprietary fine-tunes. Production model registries (HuggingFace Hub, Ollama Library) have hosted backdoored variants of popular base models; HuggingFace now scans uploads for known-bad patterns, but defenses lag attacks. We track CVEs against model formats, model-loader libraries, and published research demonstrating new model-level attack classes against shipped commercial models.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-24747 | pytorch: Code Injection enables RCE | pytorch | 8.8 |
| HIGH | CVE-2024-37058 | MLflow: RCE via malicious LangChain model deserialization | mlflow | 8.8 |
| CRITICAL | CVE-2024-34359 | llama-cpp-python: SSTI in .gguf loader enables RCE | 9.6 | |
| HIGH | CVE-2025-62609 | mlx: security flaw enables exploitation | mlx | 7.5 |
| CRITICAL | CVE-2023-1177 | MLflow: path traversal allows arbitrary file read/write | mlflow | 9.8 |
| HIGH | CVE-2023-30172 | MLflow: path traversal exposes arbitrary server files | mlflow | 7.5 |
| CRITICAL | CVE-2023-2780 | MLflow: path traversal allows arbitrary file read/write | mlflow | 9.8 |
| CRITICAL | CVE-2023-3765 | MLflow: path traversal allows arbitrary file read | mlflow | 10.0 |
| HIGH | CVE-2023-4033 | MLflow: OS command injection enables local code execution | mlflow | 7.8 |
| HIGH | CVE-2023-6015 | MLflow: unauthenticated arbitrary file write via PUT | mlflow | 7.5 |
| CRITICAL | CVE-2023-6018 | MLflow: unauth file overwrite enables model poisoning | mlflow | 9.8 |
| CRITICAL | CVE-2023-6014 | MLflow: auth bypass allows arbitrary account creation | mlflow | 9.8 |
| HIGH | CVE-2023-6753 | MLflow: path traversal exposes arbitrary file read/write | mlflow | 8.8 |
| HIGH | CVE-2024-37052 | MLflow: RCE via malicious scikit-learn model upload | mlflow | 8.8 |
| HIGH | CVE-2024-37053 | MLflow: RCE via malicious scikit-learn model deserialization | mlflow | 8.8 |
| HIGH | CVE-2024-37054 | MLflow: deserialization RCE via malicious PyFunc model | mlflow | 8.8 |
| HIGH | CVE-2024-37055 | MLflow: RCE via pmdarima model deserialization | mlflow | 8.8 |
| HIGH | CVE-2024-37056 | MLflow: RCE via LightGBM model deserialization | mlflow | 8.8 |
| HIGH | CVE-2024-2928 | MLflow: URI fragment LFI exposes arbitrary files | mlflow | 7.5 |
| MEDIUM | CVE-2024-3099 | MLflow: URL encoding bypass enables model poisoning | mlflow | 5.4 |