Security Advisory

HiddenLayer’s Synaptic Adversarial Intelligence (SAI) team consists of multidisciplinary cybersecurity experts and data scientists dedicated to raising awareness about threats to machine learning and artificial intelligence systems. Our mission is to educate data scientists, MLDevOps teams, and cybersecurity practitioners on evaluating ML/AI vulnerabilities and risks, promoting more security-conscious implementations and deployments.

During our research, we identify numerous vulnerabilities within ML/AI projects. While our research blogs cover those that we consider to be most impactful, some affect only specific projects or use cases. We’ve therefore created this dedicated space to share all of our findings, enabling users within our community to keep updated on new vulnerabilities, including security issues that have not been assigned a CVE.

June 2025

April 2025

December 2024

October 2024

September 2024

  • Guardrails

    An attacker can craft an XML file with Python code contained within a ‘validators’ attribute. This code must be wrapped in braces to work, i.e. `{Python_code}`. This can then be passed to a victim user as a Guardrails file, and upon loading it, the Python code contained within the braces is passed into an eval function, which will execute the Python code contained within.

    Read More
  • Autolabel

    An attacker can craft a CSV file containing Python code in one of the values. This code must be wrapped in brackets to work i.e. []. The maliciously crafted CSV file can then be shared with a victim user as a dataset. When the user creates a multilabel classification task, the CSV is loaded and passed through a validation function, where values wrapped in brackets are passed into an eval function, which will execute the Python code contained within.

    Read More
  • Autolabel

    An attacker can craft a CSV file containing Python code in one of the values. This code must be wrapped in brackets to work i.e. []. The maliciously crafted CSV file can then be shared with a victim user as a dataset. When the user creates a classification task, the CSV is loaded and passed through a validation function, where values wrapped in brackets are passed into an eval function, which will execute the Python code contained within.

    Read More
  • Cleanlab

    An attacker can place a malicious file called datalabs.pkl within a directory and send that directory to a victim user. When the victim user loads the directory with Datalabs.load, the datalabs.pkl within it is deserialized and any arbitrary code contained within it is executed.

    Read More
  • MindsDB

    An attacker authenticated to a MindsDB instance with the Weaviate integration installed can execute arbitrary Python code on the server. This can be achieved by creating a database built with the Weaviate engine and running a ‘SELECT WHERE’ clause against it, containing the code to execute. This code is passed to an eval function used for parsing valid Python data types from arbitrary user input, but it will run any arbitrary Python code contained within the value given in the ‘WHERE embeddings =’ part of the clause.

    Read More
  • MindsDB

    An attacker authenticated to a MindsDB instance with any one of several integrations installed can execute arbitrary Python code on the server. This can be achieved by creating a database built with the specified integration engine and running an ‘UPDATE’ query against it, containing the code to execute. This code is passed to an eval function used for parsing valid Python data types from arbitrary user input but will run any arbitrary Python code contained within the value given in the ‘SET embeddings =’ part of the query.

    Read More
  • MindsDB

    An attacker authenticated to a MindsDB instance with the ChromaDB integration installed can execute arbitrary Python code on the server. This can be achieved by creating a database built with the ChromaDB engine and running an ‘INSERT’ query against it, where the value given for ‘metadata’ would contain the code to be executed. This code is passed to an eval function used for parsing valid Python data types from arbitrary user input but will run the arbitrary code contained within the query.

    Read More
  • MindsDB

    An attacker authenticated to a MindsDB instance with the SharePoint integration installed can execute arbitrary Python code on the server. This can be achieved by creating a database built with the SharePoint engine and running an ‘INSERT’ query against it to create a list, where the value given for the ‘list’ parameter would contain the code to be executed. This code is passed to an eval function used for parsing valid Python data types from arbitrary user input but will run the arbitrary code contained within the query.

    Read More
  • MindsDB

    An attacker authenticated to a MindsDB instance with the SharePoint integration installed can execute arbitrary Python code on the server. This can be achieved by creating a database built with the SharePoint engine and running an ‘INSERT’ query against it to create a site column, where the value given for the ‘text’ parameter would contain the code to be executed. This code is passed to an eval function used for parsing valid Python data types from arbitrary user input but will run the arbitrary code contained within the query.

    Read More
  • MindsDB

    An attacker authenticated to a MindsDB instance with the SharePoint integration installed can execute arbitrary Python code on the server. This can be achieved by creating a database built with the SharePoint engine and running an ‘INSERT’ query against it to create a list item, where the value given for the ‘fields’ parameter would contain the code to be executed. This code is passed to an eval function used for parsing valid Python data types from arbitrary user input but will run the arbitrary code contained within the query.

    Read More
  • MindsDB

    An attacker authenticated to a MindsDB instance can inject a malicious pickle object containing arbitrary code into a model during the Bring Your Own Model (BYOM) training and build process. This object will be deserialized when the model is loaded via a ‘predict’ or ‘describe’ query, executing the arbitrary code on the server.

    Read More
  • MindsDB

    An attacker authenticated to a MindsDB instance can inject a malicious pickle object containing arbitrary code into a model during the ‘inhouse’ Bring Your Own Model (BYOM) training and build process. This object will be deserialized when the model is loaded via the ‘predict’ method, executing the arbitrary code on the server. Note this can only occur if the BYOM engine is changed in the config from the default ‘venv’ to ‘inhouse’.

    Read More
  • MindsDB

    An attacker authenticated to a MindsDB instance can inject a malicious pickle object containing arbitrary code into a model during the ‘inhouse’ Bring Your Own Model (BYOM) training and build process. This object will be deserialized when the model is loaded via the ‘describe’ method, executing the arbitrary code on the server. Note this can only occur if the BYOM engine is changed in the config from the default ‘venv’ to ‘inhouse.’

    Read More
  • MindsDB

    An attacker authenticated to a MindsDB instance can inject a malicious pickle object containing arbitrary code into a model during the ‘inhouse’ Bring Your Own Model (BYOM) training and build process. This object will be deserialized when the model is loaded via the ‘finetune’ method, executing the arbitrary code on the server. Note this can only occur if the BYOM engine is changed in the config from the default ‘venv’ to ‘inhouse.’

    Read More
  • MindsDB

    An attacker authenticated to a MindsDB instance can create an ML Engine, database, project, or upload a dataset within the UI and give it a name (or value in the dataset) containing javascript code that will render when the items are enumerated within the UI.

    Read More

August 2024

July 2024

  • Wyze Cam V4

    A command injection vulnerability exists in Wyze Cam V4 firmware versions up to and including 4.52.4.9887. An attacker within Bluetooth range of the camera can leverage this command to execute arbitrary commands as root during the camera setup process.

    Read More
  • Tensorflow Probability

    An attacker can create a maliciously crafted HDF5 file by injecting a pickle object containing arbitrary code into the DistributionLambda layer of the model under the make_distribution_fn key, and share it with a victim. If the victim is using Tensorflow Probability v0.7 or later and loads the malicious model, the object will be deserialized and arbitrary code will execute on their system.

    Read More

June 2024

April 2024

  • AWS Sagemaker

    A command injection vulnerability exists inside the capture_dependencies function of the AWS Sagemakers util file. If a user used the util function when creating their code, an attacker can leverage the vulnerability to run arbitrary commands on a system running the code by injecting a system command into the string passed to the function.

    Read More
  • AWS Sagemaker

    An attacker can inject a malicious pickle object into a numpy file and share it with a victim user. When the victim uses the NumpyDeserializer.deserialize function of the base_deserializers python file to load it, the allow_pickle optional argument can be set to ‘false’ and passed to np.load, leading to the safe loading of the file. However, by default the optional parameter was set to true, so if this is not specifically changed by the victim, this will result in the loading and execution of the malicious pickle object.

    Read More
  • R

    An attacker could leverage the R Data Serialization format to insert arbitrary code into an RDS formatted file, or an R package as an RDX or RDB component, which will be executed when referenced or called with ReadRDS. This is because of the lazy evaluation process used in the unserialize function of the R programming language.

    Read More

February 2024