Security Advisory

HiddenLayer’s Synaptic Adversarial Intelligence (SAI) team consists of multidisciplinary cybersecurity experts and data scientists dedicated to raising awareness about threats to machine learning and artificial intelligence systems. Our mission is to educate data scientists, MLDevOps teams, and cybersecurity practitioners on evaluating ML/AI vulnerabilities and risks, promoting more security-conscious implementations and deployments.

During our research, we identify numerous vulnerabilities within ML/AI projects. While our research blogs cover those that we consider to be most impactful, some affect only specific projects or use cases. We’ve therefore created this dedicated space to share all of our findings, enabling users within our community to keep updated on new vulnerabilities, including security issues that have not been assigned a CVE.

December 2024

October 2024

  • CVE-2024-0129 Unsafe extraction of NeMo archive leading to arbitrary file write October 24, 2024

    NVIDIA NeMo

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

September 2024

August 2024

July 2024

  • CVE-2024-37066 Crafted WiFI network name (SSID) leads to arbitrary command injection July 19, 2024

    Wyze Cam V4

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

  • SAI-ADV-2024-001 Model Deserialization Leads to Code Execution July 11, 2024

    Tensorflow Probability

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

June 2024

  • CVE-2024-37065 Model Deserialization Leads to Code Execution June 4, 2024

    Skops

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

  • CVE-2024-37064 Pickle Load in Read Pandas Utility Function June 4, 2024

    YData-profiling

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

  • CVE-2024-37061 Remote Code Execution on Local System via MLproject YAML File June 4, 2024

    MLflow

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

  • CVE-2024-37060 Pickle Load on Recipe Run Leading to Code Execution June 4, 2024

    MLflow

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

  • CVE-2024-37059 Cloudpickle Load on PyTorch Model Load Leading to Code Execution June 4, 2024

    MLflow

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

  • CVE-2024-37058 Cloudpickle Load on Langchain Model Load Leading to Code Execution June 4, 2024

    MLflow

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

  • CVE-2024-37057 Cloudpickle Load on TensorFlow Keras Model Leading to Code Execution June 4, 2024

    MLflow

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

  • CVE-2024-37056 Cloudpickle Load on LightGBM SciKit Learn Model Leading to Code Execution June 4, 2024

    MLflow

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

  • CVE-2024-37055 Pickle Load on Pmdarima Model Load Leading to Code Execution June 4, 2024

    MLflow

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

  • CVE-2024-37054 Cloudpickle Load on PyFunc Model Load Leading to Code Execution June 4, 2024

    MLflow

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

  • CVE-2024-37053 Pickle Load on Sklearn Model Load Leading to Code Execution June 4, 2024

    MLflow

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

  • CVE-2024-37052 Cloudpickle Load on Sklearn Model Load Leading to Code Execution June 4, 2024

    MLflow

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

  • CVE-2024-37063 XSS Injection in HTML Profile Report Generation June 1, 2024

    YData-profiling

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

  • CVE-2024-37062 Pickle Load in Serialized Profile Load June 1, 2024

    YData-profiling

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

April 2024

  • CVE-2024-34073 Command Injection in CaptureDependency Function April 30, 2024

    AWS Sagemaker

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

  • CVE-2024-34072 Numpy defaults to allowing Pickle to be run when content type is NPY or NPZ April 30, 2024

    AWS Sagemaker

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

  • CVE-2024-27322 R-bitrary Code Execution Through Deserialization Vulnerability April 1, 2024

    R

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

February 2024

  • CVE-2024-27319 Out of bounds read due to lack of string termination in assert February 23, 2024

    ONNX

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

  • CVE-2024-27318 Path sanitization bypass leading to arbitrary read February 23, 2024

    ONNX

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

  • CVE-2024-24591 Path Traversal on File Download Leading to Arbitrary Write February 6, 2024

    ClearML

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

  • CVE-2024-24595 Credentials Stored in Plaintext in MongoDB Instance February 1, 2024

    ClearML

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

  • CVE-2024-24594 Web Server Renders User HTML Leading to XSS February 1, 2024

    ClearML

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

  • CVE-2024-24593 Cross-site Request Forgery in ClearML Server February 1, 2024

    ClearML

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

  • CVE-2024-24592 Improper Auth Leading to Arbitrary Read-Write Access February 1, 2024

    ClearML

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

  • CVE-2024-24590 Pickle Load on Artifact Get Leading to Code Execution February 1, 2024

    ClearML

    Eval on query parameters allows arbitrary code execution in Weaviate integration CVE Number CVE-2024-45846 Summary An arbitrary code execution vulnerability exists inside the select function of the mindsdb/integrations/handlers/weaviate_handler/weaviate_handler.py file in the Weaviate integration. The vulnerability requires the attacker to be authorized on the MindsDB...

    Read More

HiddenLayer, a Gartner recognized Cool Vendor for AI Security, is the leading provider of Security for AI. Its security platform helps enterprises safeguard the machine learning models behind their most important products. HiddenLayer is the only company to offer turnkey security for AI that does not add unnecessary complexity to models and does not require access to raw data and algorithms. Founded by a team with deep roots in security and ML, HiddenLayer aims to protect enterprise’s AI from inference, bypass, extraction attacks, and model theft. The company is backed by a group of strategic investors, including M12, Microsoft’s Venture Fund, Moore Strategic Ventures, Booz Allen Ventures, IBM Ventures, and Capital One Ventures.

Book a Demo

© 2025 HiddenLayer

AICPA SOC logo

Security Privacy Policy  Vulnerability Disclosure Policy Sitemap