Supply Chain
AI/ML systems sit on a long dependency chain: package managers (PyPI, npm, Cargo), model registries (HuggingFace Hub, Ollama Library), and dataset repositories. Each is a viable attack surface. Common patterns include typosquatting of popular AI packages, malicious post-install scripts in npm/PyPI uploads, and unsafe deserialization in shared model files — PyTorch and pickle-based formats can execute arbitrary code on load, which is why HuggingFace introduced the safer safetensors format. Model-registry attacks have included planting backdoored fine-tunes of popular base models that pass benchmark eval but misbehave on attacker-chosen triggers. Dataset poisoning is the slowest variant: an attacker who can influence a public training corpus inserts content that later teaches downstream models a backdoor. Defenses: pinned versions, signature verification, safetensors over pickle, provenance attestation (SLSA), and scanning model files before load.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2024-37061 | MLflow: RCE via malicious MLproject file execution | mlflow | 8.8 |
| HIGH | CVE-2024-0520 | MLflow: path traversal enables RCE via dataset loading | mlflow | 8.8 |
| HIGH | CVE-2024-2928 | MLflow: URI fragment LFI exposes arbitrary files | mlflow | 7.5 |
| MEDIUM | CVE-2025-1474 | MLflow: passwordless accounts enable persistent backdoor | mlflow | 5.5 |
| CRITICAL | CVE-2025-11200 | mlflow: security flaw enables exploitation | mlflow | 9.8 |
| HIGH | CVE-2025-10279 | mlflow: security flaw enables exploitation | mlflow | 7.0 |
| MEDIUM | CVE-2023-2800 | Transformers: temp file race condition allows local DoS | transformers | 4.7 |
| HIGH | CVE-2023-6730 | HuggingFace Transformers: RCE via unsafe deserialization | transformers | 8.8 |
| HIGH | CVE-2023-7018 | Transformers: unsafe deserialization enables RCE on load | transformers | 7.8 |
| CRITICAL | CVE-2024-3568 | HuggingFace Transformers: RCE via pickle deserialization | transformers | 9.6 |
| UNKNOWN | CVE-2024-3924 | text-generation-inference: workflow injection RCE | - | |
| HIGH | CVE-2025-24357 | vLLM: unsafe deserialization RCE via model loading | vllm | 8.8 |
| CRITICAL | CVE-2025-5120 | smolagents: sandbox escape enables unauthenticated RCE | smolagents | 10.0 |
| HIGH | CVE-2024-21799 | Intel Extension for Transformers: path traversal privesc | 7.1 | |
| HIGH | CVE-2024-11392 | HuggingFace Transformers: RCE via config deserialization | transformers | 8.8 |
| HIGH | CVE-2024-11393 | Transformers: RCE via MaskFormer model deserialization | transformers | 8.8 |
| HIGH | CVE-2024-11394 | Transformers: RCE via Trax model deserialization | transformers | 8.8 |
| MEDIUM | CVE-2025-3264 | Transformers: ReDoS in dynamic module loader causes DoS | transformers | 5.3 |
| HIGH | CVE-2025-23298 | Merlin Transformers4Rec: code injection via Python dep | 7.8 | |
| HIGH | CVE-2025-6638 | HuggingFace Transformers: ReDoS in MarianTokenizer | transformers | 7.5 |