Millions of AI agents imperiled by critical vulnerability in open source package★ 78
Ars Technica AI7d agoIncidentArs Technica reports that Starlette, a Python package with about 325 million weekly downloads, has a critical vulnerability called BadHost. The flaw can let crafted Host headers confuse request.url.path, potentially bypassing middleware-based path authorization. AI infrastructure using FastAPI or Starlette, including vLLM, LiteLLM, MCP servers, LLM proxies, and agent frameworks, should upgrade Starlette and audit custom middleware.
Everyone is navigating AI security in real time — even Google★ 70
TechCrunch AI8d agoCommentaryAs AI adoption accelerates, organizations worldwide—including Google—are finding themselves in a transitional phase, forced to address AI security vulnerabilities in real time. Traditional cybersecurity frameworks are proving insufficient against novel threats like prompt injection and model poisoning. This shifting landscape requires continuous adaptation and a fundamental rethink of how AI systems are secured.
A Security Review of Gradio 5★ 80
Hugging Face Blog600d agoReleaseHugging Face 委託專業安全公司 Trail of Bits 對 Gradio 5 進行全面安全性審計。本次更新修復了包括任意檔案讀取(LFI)與伺服器端請求偽造(SSRF)等潛在漏洞,並重新設計了檔案存取架構。新版本採取「預設安全」策略,大幅降低開發者在部署 AI 互動介面時面臨的安全風險。
Shared network vulnerability disclosure★ 75
Replicate Blog740d agoIncidentAI 模型託管平台 Replicate 揭露了一項已修復的嚴重安全漏洞。該漏洞由雲端安全公司 Wiz 發現,源於多租戶環境下的共享網路配置缺陷。攻擊者可透過上傳惡意模型,繞過容器隔離並存取其他用戶的私有模型、輸入與輸出數據。Replicate 已於第一時間完成修復、加強網路隔離,並確認除研究人員的測試外,無其他用戶數據外洩。
Hugging Face partners with Wiz Research to Improve AI Security★ 75
Hugging Face Blog789d agoBusinessHugging Face 宣布與知名雲端安全廠商 Wiz Research 建立合作夥伴關係。雙方將共同致力於識別並修復 Hugging Face 平台上的安全漏洞,特別是針對模型託管、租戶隔離以及 Spaces 的容器安全。此合作旨在為開源 AI 社群建立更強大的安全防禦機制,防範惡意模型與潛在的雲端基礎設施攻擊。