Supply Chain
AI/ML systems sit on a long dependency chain: package managers (PyPI, npm, Cargo), model registries (HuggingFace Hub, Ollama Library), and dataset repositories. Each is a viable attack surface. Common patterns include typosquatting of popular AI packages, malicious post-install scripts in npm/PyPI uploads, and unsafe deserialization in shared model files — PyTorch and pickle-based formats can execute arbitrary code on load, which is why HuggingFace introduced the safer safetensors format. Model-registry attacks have included planting backdoored fine-tunes of popular base models that pass benchmark eval but misbehave on attacker-chosen triggers. Dataset poisoning is the slowest variant: an attacker who can influence a public training corpus inserts content that later teaches downstream models a backdoor. Defenses: pinned versions, signature verification, safetensors over pickle, provenance attestation (SLSA), and scanning model files before load.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2024-6577 | TorchServe: unverified S3 bucket exposes benchmark data | torchserve | 6.3 |
| MEDIUM | CVE-2025-2953 | PyTorch: DoS via mkldnn_max_pool2d resource leak | pytorch | 5.5 |
| MEDIUM | CVE-2025-2998 | PyTorch: memory corruption in RNN pad_packed_sequence | torch | 5.3 |
| MEDIUM | CVE-2025-2999 | PyTorch: memory corruption in RNN sequence unpacking | torch | 5.3 |
| MEDIUM | CVE-2025-3000 | PyTorch: memory corruption in torch.jit.script compiler | torch | 5.3 |
| MEDIUM | CVE-2025-3121 | PyTorch: memory corruption in JIT flatbuffer loader | pytorch | 5.5 |
| CRITICAL | CVE-2025-32434 | PyTorch: RCE bypasses weights_only=True safe-load guard | pytorch | 9.8 |
| HIGH | CVE-2025-10155 | picklescan: file extension bypass allows model RCE | picklescan | 7.8 |
| MEDIUM | CVE-2025-46149 | PyTorch: reachable assertion in nn.Fold with inductor | pytorch | 5.3 |
| MEDIUM | CVE-2025-46150 | PyTorch: torch.compile silent output inconsistency | pytorch | 5.3 |
| MEDIUM | CVE-2025-46152 | PyTorch: OOB write causes incorrect bitwise shift results | pytorch | 5.3 |
| HIGH | CVE-2025-55552 | PyTorch: integer overflow in rot90+randn_like causes DoS | pytorch | 7.5 |
| HIGH | CVE-2025-55553 | PyTorch 2.7.0: DoS via proxy_tensor.py syntax error | pytorch | 7.5 |
| MEDIUM | CVE-2025-55554 | PyTorch: integer overflow in nan_to_num causes DoS | pytorch | 5.3 |
| HIGH | CVE-2025-62164 | vllm: Input Validation flaw enables exploitation | vllm | 8.8 |
| HIGH | CVE-2026-24747 | pytorch: Code Injection enables RCE | pytorch | 8.8 |
| CRITICAL | CVE-2023-34540 | LangChain: RCE via JiraAPIWrapper crafted input | langchain | 9.8 |
| CRITICAL | CVE-2023-34541 | LangChain: RCE via unsafe load_prompt deserialization | langchain | 9.8 |
| CRITICAL | CVE-2023-36258 | LangChain: unauthenticated RCE via code injection | langchain | 9.8 |
| CRITICAL | CVE-2023-36188 | LangChain: RCE via PALChain unsanitized Python exec | langchain | 9.8 |