Protect AI Releases 'Bug Bounty' Report On May Vulnerabilities

The vulnerabilities involve tools used to build AI apps

Protect AI, which offers artificial intelligence application security, just released its May vulnerability report.

The report was created with Protect AI's AI/ML "bug bounty" program, huntr. According to the company, the program is made up of over 15,000 members who hunt for vulnerabilities across the "entire OSS AI/ML supply chain."

The vulnerabilities involve tools used to build ML models that fuel AI applications. The huntr community, along with Protect AI researchers, found these tools to be vulnerable to "unique security threats."

Here is a list of the vulnerabilities huntr has discovered:

Remote Code Execution (RCE) in LoLLMs

"Impact: This vulnerability can lead to an attacker running arbitrary code on the server.

A vulnerability present in older versions of llama-cpp-python combined with the binding_zoo feature in the LoLLMs webserver can allow attackers to use a malicious 3rd party hosted model to execute code remotely."

Denial of Service (DOS) in mintplex-labs/anything-llm

"Impact: This vulnerability allows an attacker to shut down the server through the file upload endpoint.

The vulnerability is present in the file upload endpoint, where a specially crafted request can cause the server to shut down. This issue arises from the server's inability to properly handle certain types of upload requests, making it susceptible to a Denial of Service (DOS) attack."

Remote Code Execution (RCE) in mintplex-labs/anything-llm

"Impact: This vulnerability can allow attackers to remotely execute code on the server.

The vulnerability involves injecting malicious code into the LocalAiBasePath parameter which will write the code to a .env file. Through a string of other HTTP requests, this code can then be triggered leading to server takeover."

Protect AI also released recommendations to fix these vulnerabilities (and also offers Sightline, a security feed of all found issues):