Supply Chain
AI/ML systems sit on a long dependency chain: package managers (PyPI, npm, Cargo), model registries (HuggingFace Hub, Ollama Library), and dataset repositories. Each is a viable attack surface. Common patterns include typosquatting of popular AI packages, malicious post-install scripts in npm/PyPI uploads, and unsafe deserialization in shared model files — PyTorch and pickle-based formats can execute arbitrary code on load, which is why HuggingFace introduced the safer safetensors format. Model-registry attacks have included planting backdoored fine-tunes of popular base models that pass benchmark eval but misbehave on attacker-chosen triggers. Dataset poisoning is the slowest variant: an attacker who can influence a public training corpus inserts content that later teaches downstream models a backdoor. Defenses: pinned versions, signature verification, safetensors over pickle, provenance attestation (SLSA), and scanning model files before load.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2023-36281 | LangChain: RCE via malicious JSON prompt template | langchain | 9.8 |
| CRITICAL | CVE-2023-39631 | LangChain: RCE via numexpr evaluate injection | langchain | 9.8 |
| CRITICAL | CVE-2024-27444 | LangChain Experimental: RCE via Python sandbox escape | langchain-experimental | 9.8 |
| HIGH | CVE-2024-28088 | LangChain: path traversal enables RCE and API key theft | langchain | 8.1 |
| HIGH | CVE-2024-37058 | MLflow: RCE via malicious LangChain model deserialization | mlflow | 8.8 |
| HIGH | CVE-2024-5998 | LangChain: RCE via FAISS pickle deserialization | langchain | 7.8 |
| CRITICAL | CVE-2024-46946 | LangChain-Experimental: RCE via eval in math chain | langchain-experimental | 9.8 |
| UNKNOWN | CVE-2025-21604 | AIDeepin: MD5 collision enables RAG knowledge base poisoning | - | |
| CRITICAL | CVE-2025-6853 | Langchain-Chatchat: path traversal in KB upload | langchain-chatchat | 9.8 |
| HIGH | CVE-2025-6985 | langchain-text-splitters: XXE enables arbitrary file read | langchain-text-splitters | 7.5 |
| HIGH | CVE-2025-68664 | langchain-core: Deserialization enables RCE | langchain_core | 8.2 |
| CRITICAL | CVE-2025-68665 | langchain.js: Deserialization enables RCE | langchain.js | 9.1 |
| MEDIUM | CVE-2025-53621 | DSpace: XXE injection enables server file disclosure | 6.9 | |
| UNKNOWN | CVE-2025-59532 | OpenAI Codex CLI: sandbox escape via model-generated cwd | - | |
| HIGH | CVE-2025-12973 | AI component: Arbitrary File Upload enables RCE | 7.2 | |
| HIGH | CVE-2022-24770 | Gradio: CSV formula injection via flagging enables RCE | gradio | 8.8 |
| HIGH | CVE-2024-34072 | SageMaker SDK: pickle deserialization enables RCE | 7.8 | |
| CRITICAL | CVE-2024-34359 | llama-cpp-python: SSTI in .gguf loader enables RCE | 9.6 | |
| UNKNOWN | CVE-2024-4181 | llama_index: RCE via eval() in RunGptLLM connector | llamaindex | - |
| CRITICAL | CVE-2025-62608 | mlx: security flaw enables exploitation | mlx | 9.1 |