Supply Chain
AI/ML systems sit on a long dependency chain: package managers (PyPI, npm, Cargo), model registries (HuggingFace Hub, Ollama Library), and dataset repositories. Each is a viable attack surface. Common patterns include typosquatting of popular AI packages, malicious post-install scripts in npm/PyPI uploads, and unsafe deserialization in shared model files — PyTorch and pickle-based formats can execute arbitrary code on load, which is why HuggingFace introduced the safer safetensors format. Model-registry attacks have included planting backdoored fine-tunes of popular base models that pass benchmark eval but misbehave on attacker-chosen triggers. Dataset poisoning is the slowest variant: an attacker who can influence a public training corpus inserts content that later teaches downstream models a backdoor. Defenses: pinned versions, signature verification, safetensors over pickle, provenance attestation (SLSA), and scanning model files before load.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2025-64439 | langgraph-checkpoint: Deserialization enables RCE | langgraph-checkpoint | - |
| HIGH | CVE-2025-7707 | llama-index: world-writable NLTK dir allows local tampering | llama-index | 7.1 |
| CRITICAL | GHSA-m9mp-6x32-5rhg | scio/PyTorch: torch.load weights_only bypass RCE | - | |
| MEDIUM | CVE-2025-8917 | clearml: path traversal in safe_extract → RCE risk | clearml | 5.8 |
| HIGH | CVE-2025-30402 | ExecuTorch: heap overflow in method load, RCE risk | executorch | 8.1 |
| HIGH | CVE-2025-7647 | llama-index-core: insecure /tmp dir, model theft risk | llama-index-core | 7.3 |
| HIGH | CVE-2025-58757 | MONAI: unsafe pickle deserialization RCE in data pipeline | monai | 8.8 |
| HIGH | CVE-2025-58756 | MONAI: unsafe deserialization in CheckpointLoader allows RCE | monai | 8.8 |
| HIGH | CVE-2025-58755 | MONAI: path traversal allows arbitrary file write | monai | 8.8 |
| LOW | CVE-2025-59842 | JupyterLab: missing noopener enables reverse tabnabbing | jupyterlab | - |
| HIGH | CVE-2025-10156 | Picklescan: CRC bypass hides malicious pickle in ZIP | picklescan | 7.5 |
| HIGH | CVE-2025-10157 | PickleScan: subclass bypass enables malicious model RCE | picklescan | 8.3 |
| MEDIUM | GHSA-q77w-mwjj-7mqx | picklescan: scanner bypass enables model RCE | picklescan | - |
| MEDIUM | GHSA-49gj-c84q-6qm9 | picklescan: scanner bypass enables RCE via ML model files | picklescan | - |
| MEDIUM | GHSA-9w88-8rmg-7g2p | picklescan: scan bypass allows silent RCE via ML models | picklescan | - |
| MEDIUM | GHSA-fqq6-7vqf-w3fg | picklescan: detection bypass allows undetected RCE in ML models | picklescan | - |
| MEDIUM | GHSA-3gf5-cxq9-w223 | picklescan: scanner bypass enables pickle RCE in ML models | picklescan | - |
| MEDIUM | GHSA-j343-8v2j-ff7w | picklescan: scanner bypass allows pickle-based RCE | picklescan | - |
| MEDIUM | GHSA-m869-42cg-3xwr | picklescan: scanner bypass enables RCE via ML models | picklescan | - |
| MEDIUM | GHSA-p9w7-82w4-7q8m | picklescan: detection bypass allows pickle RCE in ML pipelines | picklescan | - |