Topics
Browse posts by category and tag — every topic we cover, with the latest pieces under each.
Tags
Categories
Vulnerability Tracking 5 posts
- Hugging Face Transformers & Hub: Supply-Chain Risks and Real AdvisoriesThe Hugging Face ecosystem is the npm of machine learning — and it carries the same supply-chain exposure. A tour of verified Transformers CVEs and what they reveal about trusting models, configs, and the tooling meant to protect you.
- PyTorch Security: Notable CVEs and How to Harden Your Loading PathPyTorch's most consequential CVEs cluster around one thing — loading a model file that runs code. A walk through the verified entries, what each actually requires to exploit, and the hardening that holds.
- trust_remote_code and the ML Orchestration CVE ClassA second family of ML supply-chain CVEs has nothing to do with model weights and everything to do with the glue: transformers' trust_remote_code, langchain expression surfaces, and template injection in orchestration libraries.
- Unsafe Model Deserialization: The Pickle Problem Behind ML CVEsLoading a model file can execute arbitrary code. This is the single most repeated vulnerability class in the ML supply chain — the real CVEs, why the fixes keep arriving late, and what actually mitigates it.
- ML CVE Database Vulnerabilities: What's Tracked and MissingHow ML CVE database vulnerabilities are catalogued in NVD and MITRE, why the taxonomy breaks down for AI-specific flaws, and which real CVEs in TensorFlow, PyTorch, and MLflow demand attention.
defense 2 posts
- How to Triage an ML-Stack CVE: A Practical WorkflowA repeatable workflow for taking an ML-library CVE from 'a scanner flagged it' to a defensible decision — without panic-patching everything or trusting the CVSS number to do your thinking.
- Reading an ML Library CVE: What to Extract Beyond the CVSS ScoreML library CVEs are usually scored against a generic threat model that doesn't match how the library is used in production AI systems. Here's what to actually evaluate.