Supply Chain
AI/ML systems sit on a long dependency chain: package managers (PyPI, npm, Cargo), model registries (HuggingFace Hub, Ollama Library), and dataset repositories. Each is a viable attack surface. Common patterns include typosquatting of popular AI packages, malicious post-install scripts in npm/PyPI uploads, and unsafe deserialization in shared model files — PyTorch and pickle-based formats can execute arbitrary code on load, which is why HuggingFace introduced the safer safetensors format. Model-registry attacks have included planting backdoored fine-tunes of popular base models that pass benchmark eval but misbehave on attacker-chosen triggers. Dataset poisoning is the slowest variant: an attacker who can influence a public training corpus inserts content that later teaches downstream models a backdoor. Defenses: pinned versions, signature verification, safetensors over pickle, provenance attestation (SLSA), and scanning model files before load.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | GHSA-ggpf-24jw-3fcw | vLLM: RCE via malicious model, PyTorch < 2.6 bypass | vllm | 9.8 |
| MEDIUM | GHSA-hf3c-wxg2-49q9 | vLLM: DoS via unbounded XGrammar schema cache | vllm | 6.5 |
| MEDIUM | GHSA-v7x6-rv5q-mhwc | picklescan: bypass allows silent RCE in ML pipelines | picklescan | - |
| MEDIUM | GHSA-fj43-3qmq-673f | picklescan: numpy bypass enables RCE in ML model pipelines | picklescan | - |
| HIGH | CVE-2025-46417 | picklescan: scanner bypass enables DNS data exfiltration | picklescan | - |
| HIGH | CVE-2025-30370 | jupyterlab-git: command injection via malicious repo name | jupyterlab-git | 7.4 |
| CRITICAL | CVE-2024-12909 | llama-index finchat: SQL injection enables RCE | llama-index-packs-finchat | 10.0 |
| MEDIUM | CVE-2025-0508 | SageMaker SDK: MD5 collision silently replaces ML workflows | sagemaker | 5.9 |
| MEDIUM | CVE-2024-12910 | llama-index: DoS via infinite recursion in web reader | llama-index | 5.9 |
| CRITICAL | CVE-2024-8019 | pytorch-lightning: file upload RCE (Windows) | pytorch-lightning | 9.1 |
| HIGH | CVE-2024-7776 | ONNX: path traversal in download_model enables RCE | onnx | 8.1 |
| HIGH | GHSA-w466-2wfc-8g58 | open-webui: DoS via starlette memory exhaustion | open-webui | 7.5 |
| MEDIUM | CVE-2024-7034 | open-webui: path traversal allows arbitrary file write/RCE | open-webui | 6.5 |
| CRITICAL | CVE-2024-9052 | vLLM: RCE via pickle deserialization in distributed API | vllm | 9.8 |
| HIGH | CVE-2024-6825 | LiteLLM: RCE via post_call_rules callback injection | litellm | 8.8 |
| MEDIUM | CVE-2025-1716 | picklescan: scanner bypass enables supply chain RCE | picklescan | - |
| MEDIUM | CVE-2025-1889 | picklescan: extension bypass enables RCE on model load | picklescan | - |
| MEDIUM | CVE-2024-53526 | Composio: command injection in AI agent tool calls | composio-openai | 6.4 |
| HIGH | CVE-2024-5187 | ONNX: path traversal in model download enables RCE | onnx | 8.8 |
| HIGH | CVE-2024-49048 | TorchGeo: RCE via code injection in geospatial ML lib | torchgeo | 8.1 |