Protect AI's September 2024 Vulnerability Report

Executive Summary

At Protect AI we are taking a proactive approach to identifying and addressing security risks in AI systems, to provide the world with critical intelligence on vulnerabilities and how to fix them. 

Protect AI’s huntr is the world's first AI/ML bug bounty program. Our community of 15,000+ members hunt for impactful vulnerabilities across the entire OSS AI/ML supply chain. Through our own research and the huntr community, we’ve found the tools used in the supply chain to build the machine learning models that power AI applications to be vulnerable to unique security threats. These tools are Open Source and downloaded thousands of times a month to build enterprise AI Systems. They also likely come out of the box with vulnerabilities that can lead directly to complete system takeovers such as unauthenticated remote code execution or local file inclusion. 

This report contains 20 vulnerabilities. You can find all the details of this month's vulnerabilities in the table below, or you can head over to protectai.com/sightline, to search the comprehensive database of all huntr findings, and download tools to detect, assess and remediate them within your organizations AI Supply chain. 

It is important to note that all vulnerabilities were reported to the maintainers prior to publishing this report, and we continue to work with maintainers to ensure a timely fix prior to publication. The table also includes our recommendations for actions to take immediately, if you have these projects in production. If you need help mitigating these vulnerabilities in the meantime, please reach out, we’re here to help. community@protectai.com.

Top Vulnerabilities

Remote Code Execution (RCE) in BerriAI/litellm

https://sightline.protectai.com/vulnerabilities/0c220d75-47ff-49cc-9253-965986487739

Impact: An attacker can execute arbitrary code on the server by injecting malicious environment variables. The vulnerability occurs in the litellm.get_secret() function, where untrusted data can be passed to the eval function without proper sanitization. This can be exploited by updating environment variables via the /config/update endpoint, allowing an attacker to inject malicious code.

Insecure Password Reset Token Handling in lunary-ai/lunary

https://sightline.protectai.com/vulnerabilities/60452e01-97fa-48f8-a09f-ea8b233a6c77

Impact: An attacker can reuse a password reset token to change the victim's password multiple times.

The vulnerability lies in the password reset functionality, where the token is not invalidated after the password is changed. This allows an attacker who has compromised the token to reuse it and change the password repeatedly.

Server-Side Request Forgery (SSRF) in gradio-app/gradio

https://sightline.protectai.com/vulnerabilities/e74b6a9b-9ddb-496a-8dfa-d374311209eb

Impact: An attacker can make unauthorized HTTP requests to internal services, potentially accessing sensitive information. The vulnerability is in the save_url_to_cache function, which does not properly validate the path parameter. This allows an attacker to supply a URL that the server will fetch, leading to SSRF.

Table