AI Threat Alert
Model
The model itself is an attack surface separate from the code that runs it. The model file is the first concern: pickle-based formats (PyTorch .bin, joblib, older HuggingFace) execute arbitrary code on load, so loading an untrusted model is loading untrusted code; safetensors solves this but adoption is incomplete. The model's behaviour is the second concern: adversarial examples bypass classifiers used as security controls, backdoor patterns planted during training survive deployment unless explicitly tested for, and model-extraction queries can clone proprietary fine-tunes. Production model registries (HuggingFace Hub, Ollama Library) have hosted backdoored variants of popular base models; HuggingFace now scans uploads for known-bad patterns, but defenses lag attacks. We track CVEs against model formats, model-loader libraries, and published research demonstrating new model-level attack classes against shipped commercial models.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2025-66448 | vllm: Code Injection enables RCE | vllm | 8.8 |
| CRITICAL | CVE-2026-22807 | vllm: Code Injection enables RCE | vllm | 9.8 |
| MEDIUM | CVE-2024-28224 | Ollama: DNS rebinding exposes LLM API to remote access | ollama | 6.6 |
| HIGH | CVE-2024-45436 | Ollama: ZIP path traversal exposes host filesystem | ollama | 7.5 |
| HIGH | CVE-2024-12055 | Ollama: DoS via malicious gguf model file upload | ollama | 7.5 |
| HIGH | CVE-2024-8063 | ollama: divide-by-zero DoS via crafted GGUF model import | ollama | 7.5 |
| HIGH | CVE-2025-0312 | Ollama: null pointer DoS via malicious GGUF model upload | ollama | 7.5 |
| HIGH | CVE-2025-0315 | Ollama: GGUF model upload causes memory exhaustion DoS | ollama | 7.5 |
| HIGH | CVE-2025-0317 | Ollama: DoS via malicious GGUF model file upload | ollama | 7.5 |
| MEDIUM | CVE-2025-51471 | Ollama: auth token hijack via crafted WWW-Authenticate | ollama | 6.9 |
| CRITICAL | CVE-2025-63389 | ollama: Missing Auth allows unauthenticated access | ollama | 9.8 |
| HIGH | CVE-2025-66960 | ollama: Input Validation flaw enables exploitation | ollama | 7.5 |
| UNKNOWN | CVE-2024-4254 | Gradio: secrets exfiltration via unsafe fork PR workflow | gradio | - |
| CRITICAL | CVE-2025-53002 | LLaMA-Factory: RCE via unsafe checkpoint deserialization | llamafactory | 9.8 |
| UNKNOWN | CVE-2024-4897 | lollms-webui: RCE via malicious GGUF model loading | - | |
| CRITICAL | CVE-2020-13092 | scikit-learn: RCE via malicious joblib model deserialization | scikit-learn | 9.8 |
| HIGH | CVE-2020-28975 | scikit-learn: DoS via crafted SVM model deserialization | scikit-learn | 7.5 |
| HIGH | CVE-2025-54412 | skops: OperatorFuncNode type confusion → RCE | skops | - |
| HIGH | CVE-2025-54413 | skops: RCE via MethodNode unsafe deserialization | skops | - |
| HIGH | CVE-2025-54886 | skops: joblib fallback enables RCE via model load | skops | 8.4 |