top of page
Search

The Hidden Dangers in Open-Source AI: Recent Vulnerabilities Demand Attention

  • Writer: Aastha Thakker
    Aastha Thakker
  • Oct 29, 2025
  • 4 min read

Today we will be discussing about something that’s been keeping security researchers up at night: critical vulnerabilities in open-source AI frameworks.


Researchers at a company called Protect AI found serious security problems in common AI software that many people use every day. It’s like finding out the locks on your front door aren’t working properly — it’s a big deal and potentially dangerous.


Why Should You Care?


Imagine you’ve built an AI model (bhai just imagine) to predict customer behavior for your business. You’re using open-source tools because they’re free and powerful. But what if I told you that someone could:


  • Steal your training data

  • Access your customers’ information

  • Modify your AI model’s predictions

  • Run expensive computations on your account


Sounds scary, right?


What are the recent vulnerabilities?


1. IDOR


Insecure Direct Object Reference is like having apartment doors that anyone can open just by changing the apartment number.

# VULNERABLE CODE@app.route(‘/api/model/predict/<model_id>’)def get_prediction(model_id): # This code just trusts that you should have access to any model_id! model = AI_Model.load(model_id) return model.predict(request.data)# SECURE CODE@app.route(‘/api/model/predict/<model_id>’)def get_prediction(model_id): # First, check if this model belongs to the current user if not belongs_to_current_user(model_id): return “Access denied!”, 403  model = AI_Model.load(model_id) return model.predict(request.data)

How attackers can exploit this?

# An attacker could simply try different model IDs:for model_id in range(1, 1000): response = requests.get(f”https://api.example.com/api/model/predict/{model_id}") if response.status_code == 200: print(f”Found accessible model: {model_id}”)

2. Improper Access Control


Think of your building where the security guard only checks if you have an ID card, but doesn’t check what areas you’re allowed to access.

# VULNERABLE CODEclass AISystem: def train_model(self, user, data): if user.is_logged_in: # Only checks if user is logged in return self.start_training(data)# SECURE CODEclass AISystem: def train_model(self, user, data): # Checks multiple conditions if not user.is_logged_in: return “Please log in” if not user.has_training_permission: return “You don’t have permission to train models” if self.is_user_over_quota(user): return “You’ve exceeded your training quota” return self.start_training(data)

How attackers can exploit this?

# Attacker finds they can access admin features just by adding ‘admin=true’regular_url = “api.example.com/train_model”attack_url = “api.example.com/train_model?role=admin”# No proper checks = free access to admin features!response = requests.post(attack_url, json={‘model_type’: ‘premium’})

3. Path Traversal


In path traversal, an attacker can use special characters (like “../” or “..” ) to access files and folders they shouldn’t be able to see on a server or system.

# VULNERABLE CODEdef load_ai_model(model_name): # Dangerous! Can load files from anywhere path = f”models/{model_name}” return open(path).read()# Attacker could use: “../../../../passwords.txt”# SECURE CODEdef load_ai_model(model_name): # Only allow alphanumeric names if not model_name.isalnum(): return “Invalid model name”  # Force path to be in models directory safe_path = os.path.join(“models”, model_name) if not safe_path.startswith(“models/”): return “Nice try! Access denied”  return open(safe_path).read()

How attackers can exploit this?

# Attacker’s codedangerous_paths = [   “../../../etc/passwd”, # Try to read system passwords   “../../../var/log/app.log”, # Try to read application logs   “../../../config/database.yaml” # Try to read database credentials]for path in dangerous_paths: try:   response = requests.get(f”https://ai-api.example.com/model/{path}")   if response.status_code == 200:     print(f”Found sensitive file: {path}”) except:   continue

4. Timing attacks



In this, attackers analyze how long a system takes to respond to different inputs to figure out secret information. For example, if a password check is slightly slower when the first character is correct, attackers can use these tiny time differences to gradually guess the full password.

# VULNERABLE CODEdef check_api_key(provided_key): correct_key = “secret123”  # This is bad because it stops checking at the first wrong character if len(provided_key) != len(correct_key): return False for i in range(len(provided_key)): if provided_key[i] != correct_key[i]: return False return True# SECURE CODEdef check_api_key(provided_key): correct_key = “secret123”  # This always takes the same time regardless of input if len(provided_key) != len(correct_key): return False  result = True for i in range(len(correct_key)): if i < len(provided_key): result &= (provided_key[i] == correct_key[i]) return result

How attackers can exploit this?

# Timing attack to guess an API keyimport timedef measure_response_time(key): start = time.time() requests.get(“https://api.example.com", headers={“API-Key”: key}) end = time.time() return end — start# Try different keys and measure response timesdef guess_key(): known_key = “” characters = “abcdefghijklmnopqrstuvwxyz0123456789”  while len(known_key) < 8: # Assuming 8-character key times = {} for c in characters: guess = known_key + c # Test each guess multiple times for accuracy times[c] = sum(measure_response_time(guess) for _ in range(100))  # Character with longest response time is probably correct next_char = max(times.items(), key=lambda x: x[1])[0] known_key += next_char print(f”Found character: {known_key}”)

“Is open-source AI still safe to use?”


The short answer is yes — but with proper precautions. Open-source AI is like a powerful tool that needs to be handled with care and respect.




Top Vulnerabilities


  1. Timing Attack in LocalAI


    Impact: Attackers can determine valid API keys through response time analysis.


    Severity: High (CVSS: 7.5)


  2. Insecure Direct Object Reference (IDOR) in Lunary


    Impact: Unauthorized users can view or delete internal user data by manipulating IDs.


    Severity: Critical (CVSS: 9.1)

  3. Local File Inclusion (LFI) in chuanhuchatgpt


    Impact: Attackers can exploit this to include files on the server.


    Severity: High (CVSS: 7.5)

Test Your Understanding


Try to spot the vulnerability in this code:

import osuser_id = request.args.get('user_id')data_path = f"/data/{user_id}.csv"print(f"Accessing file path: {data_path}")file = open(data_path, 'r')    data = file.read()    file.close()return f"Data: {data}"

What’s wrong with this code? Think about:

  1. Authentication

  2. Authorization

  3. Input validation

  4. Rate limiting

  5. Resource constraints

How are you protecting your AI systems? Have you encountered any security issues with open-source AI frameworks? Share your experiences in the comments below or the above answer — let’s learn together!


Comments

bottom of page