AI Threat Alert
ATLAS Landscape
AML.T0034
Cost Harvesting
Adversaries may deliberately drive a victim's AI services beyond normal operating capacity with the intent of increasing the cost of services. This may be achieved via high-volume, low-complexity queries ([Excessive Queries](/techniques/AML.T0034.000)) or low-volume, high-complexity queries ([Resource-Intensive Queries](/techniques/AML.T0034.001)). In Generative AI or Agentic AI systems, adversarial prompts may be introduced into the model's context to cause ([Agentic Resource Consumption](/techniques/AML.T0034.002)). Unlike resource hijacking, where adversaries may leverage AI resources such as computational, memory, or storage for their own purposes, cost harvesting focuses on resource-centric pressure to a service to ultimately cause financial harm to the victim. Cost Harvesting is especially relevant for cloud-hosted, pay-per-use AI/ML platforms (e.g., LLM APIs, generative image services, vision-language pipelines). By manipulating request volume or request complexity, an attacker can: - Inflate the victim's compute or storage consumption, leading to higher operational costs. - Trigger autoscaling mechanisms that provision additional resources, further amplifying cost and exposure. - Saturate internal queues or GPU/TPU pipelines, causing latency spikes, request throttling, or outright service unavailability for legitimate users.
179 CVEs mapped
View on MITRE ATLAS →
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2024-52384 | Sage AI Plugin: unrestricted upload → web shell RCE | 9.9 | |
| CRITICAL | CVE-2026-30824 | Flowise: auth bypass exposes NVIDIA NIM container endpoints | flowise | 9.8 |
| CRITICAL | CVE-2025-63389 | ollama: Missing Auth allows unauthenticated access | ollama | 9.8 |
| CRITICAL | CVE-2026-0545 | MLflow: auth bypass in job API enables unauthenticated RCE | mlflow | 9.1 |
| HIGH | GHSA-mcmc-2m55-j8jj | vllm: Input Validation flaw enables exploitation | vllm | 8.8 |
| HIGH | CVE-2024-32965 | Lobe Chat: pre-auth SSRF leaks OpenAI API keys | 8.6 | |
| HIGH | CVE-2025-5302 | llama-index: JSON parsing DoS via deep recursion | llama-index-core | 8.6 |
| HIGH | CVE-2026-29872 | awesome-llm-apps MCP Agent: cross-session credential theft | 8.2 | |
| HIGH | CVE-2026-1117 | lollms: Access Control bypass enables privilege escalation | lollms | 8.2 |
| HIGH | CVE-2024-0452 | WordPress AI ChatBot: auth bypass enables OpenAI file upload | wpbot | 7.7 |
| HIGH | CVE-2026-44555 | open-webui: access control bypass via model chaining | open-webui | 7.6 |
| HIGH | CVE-2022-35985 | TensorFlow: DoS via malformed LRNGrad tensor input | tensorflow | 7.5 |
| HIGH | CVE-2022-35979 | TensorFlow: DoS via nonscalar input in QuantizedRelu | tensorflow | 7.5 |
| HIGH | CVE-2026-32701 | 7.5 | ||
| HIGH | CVE-2026-40116 | PraisonAI: unauth WebSocket drains OpenAI API credits | praisonai | 7.5 |
| HIGH | CVE-2026-0599 | text-generation: DoS causes service disruption | 7.5 | |
| HIGH | CVE-2024-8966 | Gradio: DoS via malformed multipart boundary | video | 7.5 |
| HIGH | CVE-2024-12720 | Transformers: ReDoS in Nougat tokenizer causes DoS | transformers | 7.5 |
| HIGH | CVE-2022-35965 | TensorFlow: NULL deref DoS via empty tensor input | tensorflow | 7.5 |
| HIGH | CVE-2024-10624 | Gradio: ReDoS in DateTime causes CPU exhaustion DoS | gradio | 7.5 |
| HIGH | CVE-2024-10569 | Gradio: zip bomb DoS via dataframe CSV upload | gradio | 7.5 |
| HIGH | CVE-2024-10188 | litellm: unauthenticated DoS crashes LLM proxy server | litellm | 7.5 |
| HIGH | CVE-2022-35969 | TensorFlow: DoS via malformed Conv2DBackpropInput | tensorflow | 7.5 |
| HIGH | CVE-2024-39721 | Ollama: DoS via /dev/random causes goroutine exhaustion | ollama | 7.5 |
| HIGH | CVE-2022-35972 | TensorFlow: DoS via QuantizedBiasAdd rank validation | tensorflow | 7.5 |
| HIGH | CVE-2024-8768 | vLLM: unauthenticated DoS via empty completion prompt | 7.5 | |
| HIGH | CVE-2024-6587 | LiteLLM: SSRF leaks OpenAI API key to attacker | litellm | 7.5 |
| HIGH | CVE-2023-33976 | TensorFlow: DoS via upper_bound rank validation crash | tensorflow | 7.5 |
| HIGH | CVE-2024-34527 | SolidUI: OpenAI API key exposed via log print statement | 7.5 | |
| HIGH | CVE-2023-25676 | TensorFlow: NULL ptr deref DoS in ParallelConcat op | tensorflow | 7.5 |
| HIGH | CVE-2023-25675 | TensorFlow XLA: Bincount shape mismatch causes DoS | tensorflow | 7.5 |
| HIGH | CVE-2023-25666 | TensorFlow: FPE in AudioSpectrogram causes DoS | tensorflow | 7.5 |
| HIGH | CVE-2022-41908 | TensorFlow: DoS via invalid UTF-8 input to PyFunc op | tensorflow | 7.5 |
| HIGH | CVE-2022-41901 | TensorFlow: DoS via SparseMatrixNNZ CHECK assertion fail | tensorflow | 7.5 |
| HIGH | CVE-2022-41897 | TensorFlow: OOB read in FractionMaxPoolGrad causes DoS | tensorflow | 7.5 |
| HIGH | CVE-2022-41896 | TensorFlow: DoS via oversized filterbank_channel_count | tensorflow | 7.5 |
| HIGH | CVE-2022-41893 | TensorFlow: DoS via TensorListResize malformed input | tensorflow | 7.5 |
| HIGH | CVE-2022-41890 | TensorFlow: int32 overflow in BCast::ToShape causes DoS | tensorflow | 7.5 |
| HIGH | CVE-2022-41887 | TensorFlow: int32 overflow crashes Poisson loss function | tensorflow | 7.5 |
| HIGH | CVE-2022-41886 | TensorFlow: integer overflow in image op causes DoS | tensorflow | 7.5 |
| HIGH | CVE-2022-41884 | TensorFlow: DoS via malformed numpy array shape | tensorflow | 7.5 |
| HIGH | CVE-2022-41883 | TensorFlow: executor crash via malformed op inputs (DoS) | tensorflow | 7.5 |
| HIGH | CVE-2022-36014 | TensorFlow: null ptr dereference in MLIR causes remote DoS | tensorflow | 7.5 |
| HIGH | CVE-2022-36005 | TensorFlow: DoS via CHECK fail in fake_quant gradient | tensorflow | 7.5 |
| HIGH | CVE-2022-36002 | TensorFlow: DoS via Unbatch assertion failure | tensorflow | 7.5 |
| HIGH | CVE-2022-35999 | TensorFlow: DoS via empty Conv2DBackpropInput tensors | tensorflow | 7.5 |
| HIGH | CVE-2022-35998 | TensorFlow: DoS via EmptyTensorList CHECK fail | tensorflow | 7.5 |
| HIGH | CVE-2022-35997 | TensorFlow: CHECK-fail DoS in tf.sparse.cross op | tensorflow | 7.5 |
| HIGH | CVE-2022-35996 | TensorFlow: Conv2D DoS via empty input tensor | tensorflow | 7.5 |
| HIGH | CVE-2022-35994 | TensorFlow: CollectiveGather assertion DoS via scalar | tensorflow | 7.5 |
| HIGH | CVE-2022-35992 | TensorFlow: DoS via malformed TensorList element shape | tensorflow | 7.5 |
| HIGH | CVE-2022-35991 | TensorFlow: DoS via TensorListScatter CHECK fail | tensorflow | 7.5 |
| HIGH | CVE-2022-36018 | TensorFlow: RaggedTensor CHECK fail remote DoS | tensorflow | 7.5 |
| HIGH | CVE-2022-35989 | TensorFlow: MaxPool GPU kernel DoS via oversized ksize | tensorflow | 7.5 |
| HIGH | CVE-2022-35988 | TensorFlow: GPU DoS via empty input to matrix_rank op | tensorflow | 7.5 |
| HIGH | CVE-2022-35987 | TensorFlow: DoS via DenseBincount shape mismatch | tensorflow | 7.5 |
| HIGH | CVE-2022-35983 | TensorFlow: DoS via Save/SaveSlices dtype CHECK fail | tensorflow | 7.5 |
| HIGH | CVE-2025-66959 | ollama: Input Validation flaw enables exploitation | ollama | 7.5 |
| HIGH | CVE-2026-23490 | 7.5 | ||
| HIGH | CVE-2025-15514 | ollama: security flaw enables exploitation | ollama | 7.5 |
| HIGH | CVE-2024-58339 | llamaindex: Resource Exhaustion enables DoS | llamaindex | 7.5 |
| HIGH | CVE-2025-66960 | ollama: Input Validation flaw enables exploitation | ollama | 7.5 |
| HIGH | CVE-2024-58340 | langchain: security flaw enables exploitation | langchain | 7.5 |
| HIGH | CVE-2026-0621 | mcp_typescript_sdk: security flaw enables exploitation | 7.5 | |
| HIGH | CVE-2026-22773 | vllm: Resource Exhaustion enables DoS | vllm | 7.5 |
| HIGH | CVE-2025-59425 | vLLM: timing attack enables API key bypass | vllm | 7.5 |
| HIGH | CVE-2025-55559 | TensorFlow: DoS via Conv2D valid padding crash | tensorflow | 7.5 |
| HIGH | CVE-2025-55551 | PyTorch: DoS in linalg.lu via malformed slice op | pytorch | 7.5 |
| HIGH | CVE-2025-6921 | Transformers: ReDoS in optimizer halts training pipelines | transformers | 7.5 |
| HIGH | CVE-2025-6638 | HuggingFace Transformers: ReDoS in MarianTokenizer | transformers | 7.5 |
| HIGH | CVE-2025-48956 | vLLM: unauthenticated DoS via oversized HTTP header | vllm | 7.5 |
| HIGH | CVE-2025-48889 | Gradio: unauthenticated file copy enables disk DoS | gradio | 7.5 |
| HIGH | CVE-2025-2099 | transformers: ReDoS in testing_utils causes DoS | transformers | 7.5 |
| HIGH | CVE-2025-1752 | llama_index: DoS via uncapped recursion in web reader | llama-index | 7.5 |
| HIGH | CVE-2025-0649 | TensorFlow Serving: JSON recursion DoS on inference API | tensorflow_serving | 7.5 |
| HIGH | CVE-2025-46560 | vLLM: DoS via quadratic multimodal tokenizer input | vllm | 7.5 |
| HIGH | CVE-2026-41279 | Flowise: unauth API key abuse via TTS endpoint IDOR | flowise | 7.5 |
| HIGH | GHSA-5ccf-884p-4jjq | open-webui: DoS via unauthenticated multipart parsing | open-webui | 7.5 |
| HIGH | CVE-2024-8984 | litellm: unauthenticated DoS via multipart boundary parsing | litellm | 7.5 |
| HIGH | CVE-2024-8053 | Open-WebUI: unauthenticated PDF endpoint enables DoS | open-webui | 7.5 |
| HIGH | CVE-2024-7983 | open-webui: unauthenticated DoS via markdown parser | open-webui | 7.5 |
| HIGH | GHSA-hh3j-9m59-p8vc | BentoML: DoS via multipart boundary in Gradio login | bentoml | 7.5 |
| HIGH | CVE-2024-12534 | open-webui: unauthenticated DoS via login payload flood | open-webui | 7.5 |
| HIGH | CVE-2024-12537 | Open-WebUI: unauthenticated DoS via code formatter | open-webui | 7.5 |
| HIGH | CVE-2025-0453 | MLflow: GraphQL DoS disables ML tracking server | mlflow | 7.5 |
| HIGH | GHSA-6wj5-5pgr-jwq8 | open-webui: DoS via malformed multipart boundary | open-webui | 7.5 |
| HIGH | CVE-2024-9056 | BentoML: DoS via multipart boundary exhausts server | bentoml | 7.5 |
| HIGH | CVE-2025-65098 | typebot: XSS enables session hijacking | 7.4 | |
| HIGH | CVE-2026-44567 | Open WebUI: auth bypass gives pending users full LLM access | open-webui | 7.3 |
| HIGH | CVE-2025-5018 | Hive Support WP: OpenAI key theft + prompt hijack | 7.1 | |
| HIGH | CVE-2026-44556 | open-webui: auth bypass allows unrestricted model access | open-webui | 7.1 |
| MEDIUM | CVE-2024-28224 | Ollama: DNS rebinding exposes LLM API to remote access | ollama | 6.6 |
| MEDIUM | CVE-2022-23585 | TensorFlow: memory leak in PNG decode causes DoS | tensorflow | 6.5 |
| MEDIUM | GHSA-hf3c-wxg2-49q9 | vLLM: DoS via unbounded XGrammar schema cache | vllm | 6.5 |
| MEDIUM | CVE-2025-14980 | BetterDocs: Info Disclosure leaks sensitive data | 6.5 | |
| MEDIUM | CVE-2025-32381 | xgrammar: unbounded grammar cache causes LLM server DoS | xgrammar | 6.5 |
| MEDIUM | CVE-2026-34756 | vLLM: DoS via unbounded n parameter causes OOM crash | vllm | 6.5 |
| MEDIUM | CVE-2022-23575 | TensorFlow: integer overflow in cost estimator → DoS | tensorflow | 6.5 |
| MEDIUM | CVE-2024-9277 | Langflow: ReDoS crashes LLM workflow backend via HTTP POST | langflow | 6.5 |
| MEDIUM | CVE-2025-62372 | vllm: security flaw enables exploitation | vllm | 6.5 |
| MEDIUM | CVE-2025-13359 | taxopress: SQL Injection exposes database | 6.5 | |
| MEDIUM | CVE-2025-62426 | vllm: Resource Exhaustion enables DoS | vllm | 6.5 |
| MEDIUM | CVE-2023-25661 | TensorFlow: DoS via malformed Convolution3D input | tensorflow | 6.5 |
| MEDIUM | CVE-2025-29770 | vLLM: DoS via unbounded grammar cache exhausts disk | vllm | 6.5 |
| MEDIUM | CVE-2024-13698 | Jobify WP: missing authz allows OpenAI key abuse, SSRF | 6.5 | |
| MEDIUM | CVE-2026-30886 | AI component: IDOR enables unauthorized data access | 6.5 | |
| MEDIUM | CVE-2022-23580 | TensorFlow: uncontrolled allocation DoS in shape inference | tensorflow | 6.5 |
| MEDIUM | CVE-2026-34755 | vLLM: OOM DoS via unbounded video frame decoding | vllm | 6.5 |
| MEDIUM | CVE-2022-23571 | TensorFlow: protobuf assertion DoS via invalid tensor dtype | tensorflow | 6.5 |
| MEDIUM | CVE-2025-1194 | transformers: ReDoS in GPT-NeoX Japanese tokenizer | transformers | 6.5 |
| MEDIUM | GHSA-mvv8-v4jj-g47j | Directus: cleartext storage exposes AI API keys | 6.5 | |
| MEDIUM | CVE-2022-23568 | TensorFlow: integer overflow DoS in sparse tensor ops | tensorflow | 6.5 |
| MEDIUM | CVE-2022-23569 | TensorFlow: DoS via reachable assertions in ML ops | tensorflow | 6.5 |
| MEDIUM | GHSA-vrqm-gvq7-rrwh | 6.5 | ||
| MEDIUM | CVE-2022-21738 | TensorFlow: integer overflow crashes process via sparse op | tensorflow | 6.5 |
| MEDIUM | CVE-2025-48944 | vLLM: input validation DoS crashes inference worker | vllm | 6.5 |
| MEDIUM | CVE-2025-48943 | vLLM: ReDoS crashes inference server via malformed regex | vllm | 6.5 |
| MEDIUM | CVE-2022-21732 | TensorFlow: ThreadPoolHandle DoS via memory exhaustion | tensorflow | 6.5 |
| MEDIUM | CVE-2022-21733 | TensorFlow: StringNGrams integer overflow enables OOM DoS | tensorflow | 6.5 |
| MEDIUM | CVE-2022-23567 | TensorFlow: integer overflow DoS in sparse tensor ops | tensorflow | 6.5 |
| MEDIUM | CVE-2025-48887 | vLLM: ReDoS in tool parser causes service outage | vllm | 6.5 |
| MEDIUM | CVE-2025-61620 | vllm: DoS via Jinja template injection in chat API | vllm | 6.5 |
| MEDIUM | CVE-2024-11896 | WP Text Prompter: Stored XSS in OpenAI shortcode plugin | 6.4 | |
| MEDIUM | CVE-2024-8939 | ilab/vllm: best_of param causes inference API DoS | 6.2 | |
| MEDIUM | CVE-2024-1455 | LangChain: Billion Laughs XML expansion causes DoS | langchain | 5.9 |
| MEDIUM | CVE-2024-12910 | llama-index: DoS via infinite recursion in web reader | llama-index | 5.9 |
| MEDIUM | CVE-2026-29772 | 5.9 | ||
| MEDIUM | CVE-2026-34052 | ltiauthenticator: OAuth nonce leak causes server DoS | 5.9 | |
| MEDIUM | CVE-2021-29551 | TensorFlow: OOB read DoS in MatrixTriangularSolve kernel | tensorflow | 5.5 |
| MEDIUM | CVE-2025-3730 | PyTorch: DoS via ctc_loss resource mishandling | pytorch | 5.5 |
| MEDIUM | CVE-2022-29202 | TensorFlow: DoS via ragged tensor memory exhaustion | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29198 | TensorFlow: DoS via sparse tensor input validation failure | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29196 | TensorFlow: DoS via invalid Conv3D filter input | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29195 | TensorFlow: StagePeek DoS via unvalidated index scalar | tensorflow | 5.5 |
| MEDIUM | CVE-2021-41218 | TensorFlow: AllToAll DoS via divide-by-zero crash | tensorflow | 5.5 |
| MEDIUM | CVE-2021-41200 | TensorFlow: DoS crash in tf.summary file writer | tensorflow | 5.5 |
| MEDIUM | CVE-2021-41199 | TensorFlow: tf.image.resize integer overflow DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2021-41198 | TensorFlow: tf.tile integer overflow crashes ML process | tensorflow | 5.5 |
| MEDIUM | CVE-2021-41197 | TensorFlow: integer overflow in tensor dims causes DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37673 | TensorFlow: MapStage CHECK-fail causes process DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37669 | TensorFlow: integer conversion DoS in NonMaxSuppression ops | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29543 | TensorFlow: DoS via assertion fail in CTCGreedyDecoder | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29531 | TensorFlow: DoS crash via empty tensor in PNG encoding | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29538 | TensorFlow: div-by-zero DoS in Conv2DBackpropFilter | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29526 | TensorFlow: Conv2D divide-by-zero crashes ML workloads | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29522 | TensorFlow: Conv3DBackprop div-by-zero crashes training | tensorflow | 5.5 |
| MEDIUM | CVE-2026-40864 | JupyterHub: CSRF bypass on spawn and share endpoints | jupyterhub | 5.4 |
| MEDIUM | CVE-2025-5197 | Transformers: ReDoS in TF-to-PyTorch weight converter | transformers | 5.3 |
| MEDIUM | CVE-2025-6208 | llama-index-core: DoS causes service disruption | llama-index-core | 5.3 |
| MEDIUM | CVE-2026-2589 | Greenshift: Info Disclosure leaks sensitive data | 5.3 | |
| MEDIUM | CVE-2024-6845 | ChatGPT WP Plugin: OpenAI API key leak via unauth REST | 5.3 | |
| MEDIUM | CVE-2025-6051 | Transformers: ReDoS in EnglishNormalizer exhausts CPU | transformers | 5.3 |
| MEDIUM | CVE-2024-6838 | MLflow: unconstrained input causes UI denial of service | mlflow | 5.3 |
| MEDIUM | CVE-2025-3263 | Transformers: ReDoS in config loader causes serving DoS | transformers | 5.3 |
| MEDIUM | CVE-2025-3264 | Transformers: ReDoS in dynamic module loader causes DoS | transformers | 5.3 |
| MEDIUM | CVE-2025-3933 | Transformers: ReDoS in DonutProcessor causes DoS | transformers | 5.3 |
| MEDIUM | CVE-2026-39411 | LobeChat: auth bypass via forged XOR obfuscated header | @lobehub/lobehub | 5.0 |
| MEDIUM | CVE-2025-11972 | AI component: SQL Injection exposes database | 4.9 | |
| MEDIUM | CVE-2025-31843 | OpenAI WP Plugin: broken access control on AI settings | 4.3 | |
| MEDIUM | CVE-2025-12732 | AI component: Info Disclosure leaks sensitive data | 4.3 | |
| MEDIUM | CVE-2020-15192 | TensorFlow: memory leak in dlpack DoS via low-priv input | tensorflow | 4.3 |
| MEDIUM | GHSA-j828-28rj-hfhp | vllm: ReDoS in inference endpoints enables DoS | vllm | 4.3 |
| MEDIUM | CVE-2026-6393 | BetterDocs: Auth bypass drains OpenAI API quota | 4.3 | |
| MEDIUM | CVE-2025-60511 | Moodle: IDOR enables unauthorized data access | 4.3 | |
| MEDIUM | CVE-2025-12360 | Better: security flaw enables exploitation | 4.3 | |
| LOW | CVE-2020-26270 | TensorFlow: DoS via zero-length input to LSTM/GRU on CUDA | tensorflow | 3.3 |
| LOW | CVE-2025-4287 | PyTorch NCCL: local DoS in distributed training reduce op | 3.3 | |
| LOW | CVE-2026-4993 | OpenUI: hard-coded LiteLLM master key credential leak | 3.3 | |
| CRITICAL | CVE-2025-34351 | ray: security flaw enables exploitation | ray | — |
| UNKNOWN | CVE-2024-56516 | free-one-api: MD5 hashing allows credential cracking | — | |
| UNKNOWN | CVE-2024-10650 | ChuanhuChatGPT: DoS via multipart payload exhaustion | chuanhuchatgpt | — |
| UNKNOWN | CVE-2026-4399 | 1millionbot Millie: Boolean prompt injection bypasses restrictions | — | |
| UNKNOWN | CVE-2025-1975 | Ollama: DoS via malicious manifest in /api/pull | ollama | — |
| UNKNOWN | CVE-2025-0187 | Gradio: DoS via oversized upload filename | gradio | — |
| CRITICAL | CVE-2025-65015 | — | ||
| HIGH | CVE-2026-25048 | xgrammar: security flaw enables exploitation | xgrammar | — |
| MEDIUM | CVE-2026-33123 | — | ||
| HIGH | CVE-2026-33155 | deepdiff: DoS causes service disruption | — | |
| MEDIUM | CVE-2025-58446 | xgrammar: DoS via oversized JSON schema grammar parsing | xgrammar | — |