Over the past month, security researchers on the Huntr bug bounty platform for artificial intelligence (AI) and machine learning (ML) have identified multiple severe vulnerabilities in popular AI/ML solutions such as MLflow, ClearML, and Hugging Face. The most severe of these are four critical vulnerabilities in MLflow, a platform for streamlining ML development. These include a path traversal bug, a vulnerability in the mlflow.data module allowing information access or file overwrite, a path validation bypass flaw allowing access to sensitive files, and a remote code execution issue when loading a malicious recipe configuration. All four vulnerabilities were addressed in MLflow 2.9.2, along with a high-severity server-side request forgery (SSRF) bug. Additionally, a critical-severity flaw was identified in Hugging Face Transformers, and a high-severity stored cross-site scripting (XSS) flaw was found in ClearML.
Read more: https://www.securityweek.com/critical-vulnerabilities-found-in-ai-ml-open-source-platforms/