AI Security Summary
AI/LLM frameworks expose code execution, data exfiltration, and denial-of-service surfaces primarily through LLM-mediated input reaching unsafe Python sinks and through insecure inter-component communication in inference infrastructure. The recurring coding mistake is trusting LLM-generated or user-supplied data as safe input to eval, exec, pickle, subprocess, and SQL without any sanitization or sandboxing boundary.
LLM-Mediated Code Execution via Unsafe Python Sinks (exec, eval, pickle, torch.load)
Covers: CVE-2023-36258 · CVE-2023-36281 · CVE-2023-38896 · CVE-2023-36188 · CVE-2023-34541 · CVE-2023-29374 · CVE-2023-36095 · CVE-2023-39631 · CVE-2023-38860 · CVE-2023-39659 · CVE-2023-34540 · CVE-2023-39662 · CVE-2024-45201 · CVE-2024-3271 · CVE-2024-3098 · CVE-2024-4181 · CVE-2024-34359 · CVE-2023-6730 · CVE-2023-7018 · CVE-2024-11394 · CVE-2024-11392 · CVE-2024-11393 · CVE-2024-5998 · CVE-2025-3108 · CVE-2025-24357 · CVE-2025-62164 · GHSA-mcmc-2m55-j8jj · CVE-2026-1839 · CVE-2026-22807 · CVE-2025-66448 · CVE-2025-9141 · CVE-2025-47277 · CVE-2024-9053 · CVE-2024-9052 · CVE-2025-32444 · CVE-2025-29783 · CVE-2024-11041 · CVE-2025-30165 · CVE-2026-27893 · CVE-2025-68664 · CVE-2026-44843 · CVE-2026-34070 · CVE-2026-22778 Risk: LLM-generated or user-supplied content flows into exec, eval, pickle.loads, torch.load, or cloudpickle without sanitization, enabling full remote code execution on the inference host.
- NEVER pass LLM-generated text, user-controlled strings, or externally sourced data to exec(), eval(), or Python's compile() without a strict AST allowlist that rejects all attribute access, imports, and calls.
- NEVER deserialize data with pickle.loads(), cloudpickle.loads(), torch.load(), or jsonpickle from any network socket, queue message, or user-supplied file unless the source is cryptographically authenticated and integrity-verified.
- ALWAYS set weights_only=True when calling torch.load() for model checkpoints, and treat any checkpoint whose provenance cannot be verified as hostile.
- NEVER load model configs, chat templates, or auto_map entries from untrusted repositories without gating execution behind an explicit, user-confirmed trust_remote_code flag that defaults to False.
- NEVER construct dynamic import strings from LLM output or user input and pass them to exec() or importlib; use a static registry of allowed class names instead.
- ALWAYS treat the output of LangChain's dumps/dumpd and any deserialized LangChain object graph as potentially attacker-controlled when the source prompt or config is user-supplied.
Prompt Injection into SQL, Template Engines, and Structured Query Sinks
Covers: CVE-2023-32785 · CVE-2025-1793 · CVE-2024-23751 · CVE-2024-12911 · CVE-2023-36189 · CVE-2025-65106 · CVE-2026-40087 · CVE-2024-1455 · CVE-2025-6984 · CVE-2024-10940 · CVE-2024-3571 · CVE-2024-4941 · CVE-2026-34452 · CVE-2026-25640 Risk: LLM output or user-supplied prompt text is interpolated directly into SQL queries, XML parsers, or Jinja/f-string templates, allowing data exfiltration, unauthorized writes, and stored XSS.
- NEVER interpolate LLM-generated text into SQL strings; ALWAYS use parameterized queries or a query builder that enforces parameter binding for every value derived from model output.
- NEVER accept a full prompt template string from an untrusted source; ALWAYS treat template syntax (attribute access via '.', indexing, and format specifiers) as an injection vector and validate against a strict allowlist.
- NEVER parse XML or HTML produced by an LLM with a parser that has external entity resolution enabled; ALWAYS use defusedxml or equivalent and disable DTD processing entirely.
- ALWAYS canonicalize and validate file paths obtained from deserialized prompt configs before any file-system operation, rejecting paths that escape the intended base directory.
- NEVER allow user-controlled strings to become the template source in ChatPromptTemplate, PromptTemplate, or equivalent; distinguish template structure from template variables.
Server-Side Request Forgery via Unvalidated URL Parameters in AI Framework Components
Covers: CVE-2023-46229 · CVE-2023-32786 · CVE-2025-2828 · CVE-2024-2206 · CVE-2024-4325 · CVE-2024-1183 · CVE-2024-3095 · CVE-2024-48052 · CVE-2024-47167 · CVE-2026-28416 · CVE-2025-6242 · CVE-2026-24779 · CVE-2026-25580 · CVE-2026-46678 · CVE-2026-34753 · CVE-2026-25960 · CVE-2025-30202 · CVE-2026-22778 Risk: URL parameters accepted by document loaders, media connectors, queue endpoints, and proxy routes are forwarded without allowlist enforcement, enabling SSRF to internal services and cloud metadata endpoints.
- NEVER pass a user-supplied or LLM-supplied URL directly to an HTTP client, file downloader, or media loader without first resolving the hostname to an IP and rejecting RFC-1918, loopback, link-local, and cloud-metadata address ranges.
- ALWAYS maintain an explicit allowlist of permitted URL schemes and hostname patterns for any component that fetches remote content on behalf of a user or agent; default-deny everything not on the list.
- NEVER trust HTTP headers such as X-Direct-Url or proxy_url from untrusted callers to expand the set of reachable hosts; treat header-injected URLs as fully attacker-controlled.
- ALWAYS validate URLs using a single, canonical parsing library end-to-end; never validate with one parser and fetch with another, as differing interpretations of backslashes and IPv6 representations create bypass opportunities.
- NEVER bind inter-node communication sockets (ZeroMQ XPUB, RPC listeners) to all interfaces in multi-node deployments; restrict to authenticated, network-segmented interfaces.
Path Traversal and Filesystem Access Control Bypass in File Serving and Upload Handling
Covers: CVE-2025-23042 · CVE-2024-1728 · CVE-2024-10648 · CVE-2024-0964 · CVE-2024-47084 · CVE-2023-51449 · CVE-2024-1561 · CVE-2024-47164 · CVE-2024-47166 · CVE-2024-12217 · CVE-2026-28414 · CVE-2024-34510 · CVE-2024-47165 · CVE-2024-4941 · CVE-2024-51751 · CVE-2024-47868 · CVE-2025-48889 · CVE-2023-34239 · CVE-2023-41626 · CVE-2024-34511 · CVE-2026-28415 · CVE-2024-8021 · CVE-2024-4940 · CVE-2025-6209 · CVE-2023-6572 · CVE-2025-7647 · CVE-2024-12704 · CVE-2026-34450 · CVE-2023-25823 · CVE-2024-1727 · CVE-2024-47871 · CVE-2024-47867 · CVE-2024-47870 · CVE-2024-47872 · CVE-2024-47869 · CVE-2024-1729 · CVE-2023-2800 · CVE-2025-7707 Risk: File-serving routes, upload handlers, and flagging components accept attacker-controlled paths without case-normalized, realpath-resolved validation, exposing arbitrary files and enabling directory traversal on all OS platforms.
- ALWAYS resolve user-supplied file paths with os.path.realpath() and assert the resolved path starts with the expected base directory before any read, write, copy, or delete operation.
- NEVER rely on string prefix matching or blocked-path substring checks for access control; case-insensitive file systems and NTFS alternate data streams bypass these checks.
- ALWAYS validate CORS origins using an explicit allowlist and reject the null origin; never grant access based on the presence of a cookie alone.
- NEVER allow uploaded files to be served with their original MIME type for HTML, SVG, or JavaScript content; force Content-Disposition: attachment and a safe content type to prevent XSS.
- NEVER use predictable or world-writable temporary directories for caching model artifacts, embeddings, or agent state; create per-process directories with mode 0700 and verify ownership before use.
- ALWAYS compare secrets and authentication tokens using a constant-time comparison function; never use == or != for credential comparison.
Denial of Service via Unbounded Resource Consumption (ReDoS, Recursive Parsing, Unvalidated API Parameters)
Covers: CVE-2025-3262 · CVE-2025-6638 · CVE-2024-12720 · CVE-2025-2099 · CVE-2025-1194 · CVE-2025-3263 · CVE-2025-6051 · CVE-2025-3933 · CVE-2025-5197 · CVE-2025-3264 · CVE-2025-6921 · CVE-2024-10624 · CVE-2025-1752 · CVE-2025-5302 · CVE-2024-2965 · CVE-2024-12910 · CVE-2024-8768 · CVE-2024-8966 · CVE-2025-48956 · CVE-2024-10569 · CVE-2024-8939 · CVE-2025-62426 · CVE-2025-61620 · CVE-2025-48942 · CVE-2025-48943 · CVE-2026-44223 · CVE-2026-34756 · CVE-2025-48887 · CVE-2025-46560 · CVE-2025-29770 · CVE-2025-62372 · CVE-2026-22773 · CVE-2024-12704 · CVE-2026-34755 · CVE-2025-46722 · CVE-2025-6211 · CVE-2025-5472 · CVE-2025-6208 · CVE-2026-44222 · CVE-2025-59425 Risk: Unvalidated API parameters (n, best_of, frame counts, regex patterns, JSON depth, chat_template_kwargs) and pathological regex patterns in tokenizers and parsers allow a single unauthenticated request to exhaust CPU, memory, or stack and crash inference workers.
- NEVER compile or evaluate user-supplied regex patterns, JSON schemas, or Jinja templates without a resource limit (timeout, complexity cap); treat these inputs as denial-of-service vectors.
- ALWAYS enforce explicit upper bounds on numeric API parameters such as n, best_of, num_frames, and max_depth at the request validation layer before any processing begins.
- NEVER apply resource limits (file count, depth, size) after loading all input into memory; enforce limits as data is streamed or enumerated to prevent memory exhaustion.
- ALWAYS use re.fullmatch() with pre-compiled, audited patterns for user-facing inputs, and avoid nested quantifiers or unbounded repetition groups in any regex that processes untrusted strings.
- NEVER allow recursive parsers (JSON, sitemap, XML) to descend without a maximum depth counter; raise a hard error rather than relying on Python's default recursion limit.
Cross-cutting patterns (all AI / LLM Apps projects)
- NEVER treat LLM-generated content as trusted application logic; always enforce the same input validation, sanitization, and authorization checks on model output as on direct user input.
- ALWAYS ensure inter-process and inter-node communication channels (ZeroMQ, RPC, message queues) require mutual authentication and use a safe serialization format such as JSON with a strict schema rather than pickle or cloudpickle.
- NEVER download, load, or execute external artifacts (model weights, FRP binaries, prompt configs, auto_map modules) without verifying a cryptographic checksum or signature against a value stored outside the artifact itself.
- ALWAYS apply authentication and rate limiting to every API endpoint, including health, queue, tokenize, and completions routes, before any resource-consuming operation is performed.