AI Threat Alert
Supply Chain
AI/ML systems sit on a long dependency chain: package managers (PyPI, npm, Cargo), model registries (HuggingFace Hub, Ollama Library), and dataset repositories. Each is a viable attack surface. Common patterns include typosquatting of popular AI packages, malicious post-install scripts in npm/PyPI uploads, and unsafe deserialization in shared model files — PyTorch and pickle-based formats can execute arbitrary code on load, which is why HuggingFace introduced the safer safetensors format. Model-registry attacks have included planting backdoored fine-tunes of popular base models that pass benchmark eval but misbehave on attacker-chosen triggers. Dataset poisoning is the slowest variant: an attacker who can influence a public training corpus inserts content that later teaches downstream models a backdoor. Defenses: pinned versions, signature verification, safetensors over pickle, provenance attestation (SLSA), and scanning model files before load.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2021-29591 | TFLite: crafted model causes infinite loop / stack overflow | tensorflow | 7.8 |
| HIGH | CVE-2021-29592 | TensorFlow Lite: null-ptr deref in Reshape via 1D tensor | tensorflow | 7.8 |
| HIGH | CVE-2021-29593 | TensorFlow TFLite: div-by-zero via crafted model file | tensorflow | 7.8 |
| HIGH | CVE-2021-29594 | TFLite: divide-by-zero in conv allows code execution | tensorflow | 7.8 |
| HIGH | CVE-2021-29595 | TensorFlow TFLite: crash/RCE via malicious model file | tensorflow | 7.8 |
| HIGH | CVE-2021-29596 | TensorFlow TFLite: div-by-zero in EmbeddingLookup op | tensorflow | 7.8 |
| HIGH | CVE-2021-29597 | TensorFlow TFLite: div-by-zero crash via crafted model | tensorflow | 7.8 |
| HIGH | CVE-2021-29598 | TensorFlow TFLite: SVDF div-by-zero enables RCE | tensorflow | 7.8 |
| HIGH | CVE-2021-29599 | TFLite Split: malicious model triggers div-by-zero (DoS/RCE) | tensorflow | 7.8 |
| HIGH | CVE-2021-29600 | TensorFlow TFLite: div-by-zero via crafted OneHot model | tensorflow | 7.8 |
| HIGH | CVE-2021-29601 | TensorFlow Lite: integer overflow in model concatenation | tensorflow | 7.1 |
| HIGH | CVE-2021-29603 | TensorFlow TFLite: heap OOB write via malformed model | tensorflow | 7.8 |
| MEDIUM | CVE-2021-29604 | TFLite: DoS via division by zero in hashtable lookup | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29605 | TFLite: integer overflow DoS via crafted model file | tensorflow | 5.5 |
| HIGH | CVE-2021-29606 | TensorFlow Lite: OOB read via crafted TFLite model | tensorflow | 7.8 |
| HIGH | CVE-2021-29608 | TensorFlow: heap OOB in RaggedTensorToTensor op | tensorflow | 7.8 |
| MEDIUM | CVE-2021-29615 | TensorFlow: uncontrolled recursion DoS in ParseAttrValue | tensorflow | 5.5 |
| CRITICAL | CVE-2021-35958 | TensorFlow: path traversal in get_file allows file overwrite | tensorflow | 9.1 |
| HIGH | CVE-2021-37641 | TensorFlow: RaggedGather OOB read - heap leak + DoS | tensorflow | 7.1 |
| MEDIUM | CVE-2021-37680 | TFLite: division by zero crashes fully connected layers | tensorflow | 5.5 |