At Protect AI we are taking a proactive approach to identifying and addressing security risks in AI systems, to provide the world with critical intelligence on vulnerabilities and how to fix them.
Protect AI’s huntr is the world's first AI/ML bug bounty program. Our community of 15,000+ members hunt for impactful vulnerabilities across the entire OSS AI/ML supply chain. Through our own research and the huntr community, we’ve found the tools used in the supply chain to build the machine learning models that power AI applications to be vulnerable to unique security threats. These tools are Open Source and downloaded thousands of times a month to build enterprise AI Systems. They also likely come out of the box with vulnerabilities that can lead directly to complete system takeovers such as unauthenticated remote code execution or local file inclusion. This report contains 20 vulnerabilities. You can find all the details of this month's vulnerabilities in the table below, or you can head over to protectai.com/sightline, to search the comprehensive database of all huntr findings, and download tools to detect, assess and remediate them within your organizations AI Supply chain.
It is important to note that all vulnerabilities were reported to the maintainers a minimum of 45 days prior to publishing this report, and we continue to work with maintainers to ensure a timely fix prior to publication. The table also includes our recommendations for actions to take immediately, if you have these projects in production. If you need help mitigating these vulnerabilities in the meantime, please reach out, we’re here to help. community@protectai.com.
https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5
Impact: This vulnerability allows attackers to execute arbitrary code on the system using specially crafted package URLs.
The vulnerability in Setuptools arises from the way it handles package URLs, allowing for code injection. If an attacker can control the URL input, they can inject and execute arbitrary commands on the system. This can be exploited through various vectors, including setup configuration files, command-line arguments, and custom applications relying on Setuptools.
https://huntr.com/bounties/671bd040-1cc5-4227-8182-5904e9c5ed3b
Impact: Removed users can still access, modify, and delete organizational templates, leading to unauthorized data manipulation.
The vulnerability in Lunary allows users who have been removed from an organization to continue accessing and modifying templates using old authorization tokens. This occurs because the system does not invalidate tokens upon user removal, enabling unauthorized actions such as reading, creating, editing, and deleting templates.
https://huntr.com/bounties/dc4c3967-8951-40dc-94f1-46df7fb57060
Impact: This vulnerability can be exploited to bypass SSRF protections, potentially allowing access to internal networks.
The vulnerability in Netaddr involves the mishandling of IPv4-mapped IPv6 addresses. Functions like is_private, is_link_local, and is_loopback do not correctly identify these addresses, which can lead to SSRF attacks. Attackers can exploit this by using IPv4-mapped IPv6 addresses to bypass security checks and access internal resources.
CVE |
Title |
Severity |
CVSS |
Fixed |
Recommendations |
Critical |
9.9 |
Yes |
Upgrade to latest version |
||
Server-Side Template Injection in /completions endpoint in litellm |
Critical |
9.8 |
Yes |
Upgrade to version 1.34.42 |
|
Critical |
9.8 |
Yes |
Upgrade to version 3.13.1 |
||
OS Command Injection in prune_by_memory_estimation in paddle |
Critical |
9.8 |
Yes |
Upgrade to latest version |
|
Critical |
9.6 |
Yes |
Upgrade to latest version |
||
Anonymous access to import endpoint leads to anythingllm.db deletion/spoofing in anything-llm |
Critical |
9.1 |
Yes |
Upgrade to latest version |
|
Member can read/create/modify/delete templates even after removed from organizations in lunary |
Critical |
9.1 |
Yes |
Upgrade to version 1.2.8 |
|
Arbitrary File Write via /v1/runs API endpoint in pytorch-lightning |
Critical |
9.1 |
Yes |
Upgrade to version 2.3.3 |
|
Remote code execution via download functions in the package_index module in setuptools |
High |
8.8 |
Yes |
Upgrade to version 70.0 |
|
High |
7.7 |
Yes |
Upgrade to latest version |
||
High |
7.5 |
Yes |
Upgrade to version 1.2.8 |
||
Bypass private/linklocal/loopback IP validation Method lead to SSRF in netaddr |
High |
7.5 |
Yes |
Upgrade to version 0.10.0 |
|
High |
7.3 |
Yes |
Upgrade to version 9.5.1 |
||
High |
7.1 |
Yes |
Upgrade to latest version |
||
High |
7.1 |
Yes |
Upgrade to latest version |
||
Medium |
6.5 |
Yes |
Upgrade to version 2.17 |
||
Medium |
4.8 |
Yes |
Upgrade to version 0.2.9 |
||
Medium |
4.2 |
Yes |
Upgrade to version 0.2.5 |
||
Medium |
4.0 |
Yes |
Upgrade to version 70.0.1 |
||
Low |
2.8 |
Yes |
Upgrade to version 1.14.2 |