AI Threat Alert
ATLAS Landscape
AML.T0010.003
Model
AI-enabled systems often rely on open sourced models in various ways. Most commonly, the victim organization may be using these models for fine tuning. These models will be downloaded from an external source and then used as the base for the model as it is tuned on a smaller, private dataset. Loading models often requires executing some saved code in the form of a saved model file. These can be compromised with traditional malware, or through some adversarial AI techniques.
102 CVEs mapped
View on MITRE ATLAS →
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | GHSA-vvpj-8cmc-gx39 | picklescan: security flaw enables exploitation | picklescan | 10.0 |
| CRITICAL | CVE-2025-15379 | MLflow: RCE via unsanitized model dependency specs | mlflow | 10.0 |
| CRITICAL | CVE-2020-13092 | scikit-learn: RCE via malicious joblib model deserialization | scikit-learn | 9.8 |
| CRITICAL | GHSA-g38g-8gr9-h9xp | picklescan: Allowlist Bypass evades input filtering | picklescan | 9.8 |
| CRITICAL | CVE-2023-5245 | MLeap: zip slip in model loading enables RCE | 9.8 | |
| CRITICAL | CVE-2024-12029 | InvokeAI: RCE via unsafe torch.load deserialization | 9.8 | |
| CRITICAL | CVE-2025-30405 | ExecuTorch: integer overflow in model load → RCE | executorch | 9.8 |
| CRITICAL | CVE-2024-35198 | TorchServe: URL bypass enables arbitrary model loading | torchserve | 9.8 |
| CRITICAL | CVE-2025-1945 | picklescan: ZIP flag bypass enables RCE in PyTorch models | picklescan | 9.8 |
| CRITICAL | CVE-2025-1550 | Keras: safe_mode bypass enables RCE via model loading | keras | 9.8 |
| CRITICAL | GHSA-ggpf-24jw-3fcw | vLLM: RCE via malicious model, PyTorch < 2.6 bypass | vllm | 9.8 |
| CRITICAL | CVE-2025-49655 | keras: Deserialization enables RCE | keras | 9.8 |
| CRITICAL | CVE-2026-22807 | vllm: Code Injection enables RCE | vllm | 9.8 |
| CRITICAL | CVE-2024-3660 | Keras: RCE via malicious model deserialization | keras | 9.8 |
| CRITICAL | CVE-2024-3568 | HuggingFace Transformers: RCE via pickle deserialization | transformers | 9.6 |
| CRITICAL | CVE-2024-34359 | llama-cpp-python: SSTI in .gguf loader enables RCE | 9.6 | |
| CRITICAL | CVE-2025-15031 | mlflow: Path Traversal enables file access | mlflow | 9.1 |
| CRITICAL | CVE-2026-28500 | onnx: Integrity Verification bypass enables tampering | onnx | 9.1 |
| HIGH | CVE-2023-6730 | HuggingFace Transformers: RCE via unsafe deserialization | transformers | 8.8 |
| HIGH | CVE-2025-67729 | lmdeploy: Deserialization enables RCE | 8.8 | |
| HIGH | GHSA-hgrh-qx5j-jfwx | picklescan: Protection Bypass circumvents security controls | picklescan | 8.8 |
| HIGH | CVE-2025-66448 | vllm: Code Injection enables RCE | vllm | 8.8 |
| HIGH | CVE-2025-58756 | MONAI: unsafe deserialization in CheckpointLoader allows RCE | monai | 8.8 |
| HIGH | CVE-2025-24357 | vLLM: unsafe deserialization RCE via model loading | vllm | 8.8 |
| HIGH | CVE-2024-11394 | Transformers: RCE via Trax model deserialization | transformers | 8.8 |
| HIGH | CVE-2024-11393 | Transformers: RCE via MaskFormer model deserialization | transformers | 8.8 |
| HIGH | CVE-2024-37059 | MLflow: RCE via malicious PyTorch model deserialization | mlflow | 8.8 |
| HIGH | CVE-2024-37058 | MLflow: RCE via malicious LangChain model deserialization | mlflow | 8.8 |
| HIGH | CVE-2024-37057 | MLflow: RCE via malicious TensorFlow model deserialization | mlflow | 8.8 |
| HIGH | CVE-2024-37056 | MLflow: RCE via LightGBM model deserialization | mlflow | 8.8 |
| HIGH | CVE-2024-37055 | MLflow: RCE via pmdarima model deserialization | mlflow | 8.8 |
| HIGH | CVE-2024-37053 | MLflow: RCE via malicious scikit-learn model deserialization | mlflow | 8.8 |
| HIGH | CVE-2024-37052 | MLflow: RCE via malicious scikit-learn model upload | mlflow | 8.8 |
| HIGH | CVE-2026-27893 | vLLM: trust_remote_code bypass enables RCE | vllm | 8.8 |
| HIGH | GHSA-j7w6-vpvq-j3gm | diffusers: silent RCE via None.py trust_remote_code bypass | diffusers | 8.8 |
| HIGH | CVE-2026-6859 | InstructLab: RCE via hardcoded trust_remote_code flag | 8.8 | |
| HIGH | CVE-2026-34445 | ONNX: property overwrite via crafted model file | onnx | 8.6 |
| HIGH | CVE-2020-15212 | TensorFlow Lite: heap OOB write via segment sum op | tensorflow | 8.6 |
| HIGH | CVE-2025-10157 | PickleScan: subclass bypass enables malicious model RCE | picklescan | 8.3 |
| HIGH | CVE-2021-29597 | TensorFlow TFLite: div-by-zero crash via crafted model | tensorflow | 7.8 |
| HIGH | CVE-2026-27905 | bentoml: security flaw enables exploitation | bentoml | 7.8 |
| HIGH | CVE-2025-5173 | label-studio-ml: PyTorch .pt deserialization RCE in YOLO loader | label-studio-ml | 7.8 |
| HIGH | CVE-2025-8747 | Keras: safe mode bypass enables RCE via model load | keras | 7.8 |
| HIGH | CVE-2021-29603 | TensorFlow TFLite: heap OOB write via malformed model | tensorflow | 7.8 |
| HIGH | CVE-2021-29588 | TensorFlow Lite: DoS/RCE via crafted model stride=0 | tensorflow | 7.8 |
| HIGH | CVE-2021-43811 | Sockeye: unsafe YAML load RCE via model config file | 7.8 | |
| HIGH | CVE-2021-29606 | TensorFlow Lite: OOB read via crafted TFLite model | tensorflow | 7.8 |
| HIGH | CVE-2021-29598 | TensorFlow TFLite: SVDF div-by-zero enables RCE | tensorflow | 7.8 |
| HIGH | CVE-2025-10156 | Picklescan: CRC bypass hides malicious pickle in ZIP | picklescan | 7.5 |
| HIGH | CVE-2026-1669 | keras: File Control enables path manipulation | keras | 7.5 |
| HIGH | CVE-2022-23591 | TensorFlow: SavedModel stack overflow via recursive GraphDef | tensorflow | 7.5 |
| HIGH | CVE-2025-66960 | ollama: Input Validation flaw enables exploitation | ollama | 7.5 |
| HIGH | CVE-2025-9905 | Keras: safe_mode bypass enables RCE via .h5 model files | keras | 7.3 |
| HIGH | CVE-2025-9906 | Keras: safe_mode bypass enables RCE via model load | keras | 7.3 |
| HIGH | CVE-2021-29601 | TensorFlow Lite: integer overflow in model concatenation | tensorflow | 7.1 |
| MEDIUM | CVE-2025-51471 | Ollama: auth token hijack via crafted WWW-Authenticate | ollama | 6.9 |
| MEDIUM | CVE-2022-23583 | TensorFlow: SavedModel type confusion triggers DoS crash | tensorflow | 6.5 |
| MEDIUM | CVE-2022-23565 | TensorFlow: DoS via malicious SavedModel AttrDef duplication | tensorflow | 6.5 |
| MEDIUM | CVE-2022-23586 | TensorFlow: SavedModel DoS crashes Python interpreter | tensorflow | 6.5 |
| MEDIUM | CVE-2020-15209 | TensorFlow Lite: null ptr deref crashes model inference | tensorflow | 5.9 |
| MEDIUM | CVE-2026-1778 | sagemaker: security flaw enables exploitation | sagemaker | 5.9 |
| MEDIUM | CVE-2025-8917 | clearml: path traversal in safe_extract → RCE risk | clearml | 5.8 |
| MEDIUM | CVE-2021-41213 | TensorFlow: tf.function deadlock enables DoS via model load | tensorflow | 5.5 |
| MEDIUM | CVE-2024-31584 | PyTorch: OOB read in mobile model loader leaks memory | pytorch | 5.5 |
| MEDIUM | CVE-2023-48299 | TorchServe: ZipSlip arbitrary file write via model upload | torchserve | 5.3 |
| MEDIUM | CVE-2026-21851 | monai: Path Traversal enables file access | monai | 5.3 |
| MEDIUM | CVE-2020-26266 | TensorFlow: uninitialized memory read via crafted SavedModel | tensorflow | 5.3 |
| LOW | CVE-2020-26271 | TensorFlow: OOB read on saved model load leaks heap addresses | tensorflow | 3.3 |
| UNKNOWN | CVE-2025-12638 | Keras: Path Traversal enables file access | — | |
| CRITICAL | GHSA-m9mp-6x32-5rhg | scio/PyTorch: torch.load weights_only bypass RCE | — | |
| HIGH | GHSA-97f8-7cmv-76j2 | picklescan: Allowlist Bypass evades input filtering | picklescan | — |
| MEDIUM | GHSA-j343-8v2j-ff7w | picklescan: scanner bypass allows pickle-based RCE | picklescan | — |
| MEDIUM | GHSA-m869-42cg-3xwr | picklescan: scanner bypass enables RCE via ML models | picklescan | — |
| MEDIUM | GHSA-xp4f-hrf8-rxw7 | picklescan: scanner bypass leads to undetected RCE | picklescan | — |
| MEDIUM | GHSA-8r4j-24qv-fmq9 | picklescan: RCE bypass enables ML supply chain attack | picklescan | — |
| MEDIUM | GHSA-7cq8-mj8x-j263 | picklescan: detection bypass allows malicious pickle RCE | picklescan | — |
| MEDIUM | GHSA-6w4w-5w54-rjvr | picklescan: detection bypass allows RCE via ML model files | picklescan | — |
| MEDIUM | GHSA-3vg9-h568-4w9m | picklescan: RCE bypass via idlelib SetText evasion | picklescan | — |
| MEDIUM | GHSA-f54q-57x4-jg88 | picklescan: scanner bypass enables RCE in ML models | picklescan | — |
| MEDIUM | GHSA-6vqj-c2q5-j97w | picklescan: scanner bypass enables RCE via ML models | picklescan | — |
| MEDIUM | GHSA-vv6j-3g6g-2pvj | picklescan: PyTorch gadget bypasses scanner, enables RCE | picklescan | — |
| MEDIUM | GHSA-vr7h-p6mm-wpmh | picklescan: PyTorch gadget bypasses pickle RCE detection | picklescan | — |
| MEDIUM | GHSA-h3qp-7fh3-f8h4 | picklescan: detection bypass via PyTorch proxy RCE | picklescan | — |
| MEDIUM | GHSA-4r9r-ch6f-vxmx | picklescan: PyTorch bypass allows undetected RCE | picklescan | — |
| UNKNOWN | CVE-2025-14929 | transformers: Deserialization enables RCE | transformers | — |
| MEDIUM | GHSA-r54c-2xmf-2cf3 | ms-swift: RCE via pickle deserialization in adapter models | — | |
| HIGH | CVE-2025-54413 | skops: RCE via MethodNode unsafe deserialization | skops | — |
| UNKNOWN | CVE-2025-14930 | transformers: Deserialization enables RCE | transformers | — |
| MEDIUM | GHSA-fj43-3qmq-673f | picklescan: numpy bypass enables RCE in ML model pipelines | picklescan | — |
| HIGH | GHSA-vqmv-47xg-9wpr | picklescan: Deserialization enables RCE | picklescan | — |
| HIGH | GHSA-rrxm-2pvv-m66x | picklescan: Code Injection enables RCE | picklescan | — |
| MEDIUM | CVE-2025-1889 | picklescan: extension bypass enables RCE on model load | picklescan | — |
| HIGH | CVE-2026-22609 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | GHSA-46h3-79wf-xr6c | picklescan: Code Injection enables RCE | picklescan | — |
| MEDIUM | GHSA-3gf5-cxq9-w223 | picklescan: scanner bypass enables pickle RCE in ML models | picklescan | — |
| HIGH | GHSA-5hwf-rc88-82xm | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | GHSA-4675-36f9-wf6r | picklescan: Allowlist Bypass evades input filtering | picklescan | — |
| UNKNOWN | CVE-2025-14928 | transformers: Code Injection enables RCE | transformers | — |
| UNKNOWN | CVE-2025-14924 | transformers: Deserialization enables RCE | transformers | — |
| UNKNOWN | CVE-2025-14921 | transformers: Deserialization enables RCE | transformers | — |
| UNKNOWN | CVE-2025-14920 | transformers: Deserialization enables RCE | transformers | — |
| UNKNOWN | CVE-2025-14926 | transformers: Code Injection enables RCE | transformers | — |