SC Media reports that open-source artificial intelligence and machine learning tools are impacted by 34 security vulnerabilities, three of which were of critical severity.
Protect AI researchers disclosed that the Lunary AI production toolkit was impacted by a pair of now-addressed critical bugs, including the insecure direct object reference issue, tracked as CVE-2024-7474, which could be leveraged for user record access or removal, and the improper access control vulnerability, tracked as CVE-2024-7475, which could be exploited for authentication manipulation.
ChatGPT graphical user interface Chuanhu Chat was affected by the critical path traversal flaw, tracked as CVE-2024-5982, which could facilitate remote code execution. Also reported were high-severity issues in the widely-used open-source AI project LocalAI, the most severe of which is the RCE bug, tracked as CVE-2024-6983.
"Through our own research and the huntr community, we've found the tools used in the supply chain to build the machine learning models that power AI applications to be vulnerable to unique security threats. These tools are Open Souce and downloaded thousands of times a month to build enterprise AI Systems," said Protect AI researchers.
