Nyongesa Sande
No Result
View All Result
  • News
    • World
    • Africa
  • Politics
  • Business
  • Tech
  • AI
  • Telecom
  • Sports
  • Opinion
  • Lifestyle
  • Live
  • World Cup 2026
    • World Cup 2026 Standings
    • World Cup 2026
Nyongesa Sande
No Result
View All Result
Nyongesa Sande
No Result
View All Result
  • News
  • Politics
  • Business
  • Tech
  • AI
  • Telecom
  • Sports
  • Opinion
  • Lifestyle
  • Live
  • World Cup 2026
ADVERTISEMENT

Home » Copy-Paste Vulnerability Hits AI Frameworks at Meta, Nvidia,

Copy-Paste Vulnerability Hits AI Frameworks at Meta, Nvidia,

NyongesaSande News Desk by NyongesaSande News Desk
8 months ago
in Cybersecurity
Reading Time: 2 mins read
A A
Copy-Paste Vulnerability Hits AI Frameworks at Meta, Nvidia,

A chain of critical security vulnerabilities has been discovered across some of the world’s most widely used AI inference frameworks, affecting systems operated by Meta, Nvidia, Microsoft, and several major open-source platforms. According to research by Oligo Security, the flaws stem from insecure code that was repeatedly copied across projects, creating a systemic risk within the global AI ecosystem. Researchers traced the vulnerability to unsafe implementations of ZeroMQ messaging combined with Python’s insecure pickle deserialization. The pattern first appeared in Meta’s Llama Stack before proliferating into Nvidia’s TensorRT-LLM, vLLM, SGLang, and the Modular Max Server. Security experts say the issue highlights a rapidly growing problem in AI development: the spread of unsafe legacy code through copy-and-paste reuse that bypasses rigorous security review.

  • How the ShadowMQ Pattern Spread Across Frameworks
  • Why This Creates Systemic Risk for AI Infrastructure
  • Vendor Response and Recommended Mitigations

How the ShadowMQ Pattern Spread Across Frameworks

Oligo’s investigation found that a Meta component using ZeroMQ’s recv-pyobj() function was directly feeding incoming data into pickle.loads(), allowing arbitrary code execution if exploited through exposed sockets. Because pickle can run code during deserialization, the combination created a simple path for attackers to remotely execute commands. Developers in other frameworks reused the same logic, sometimes with minimal adaptation and occasionally retaining comments indicating the code had been taken from another repository. Oligo has named this phenomenon the ShadowMQ pattern, describing it as an under-the-radar mechanism by which insecure communication layers quietly migrate between AI projects. The flaw was catalogued as CVE-2024-50050 for Meta’s implementation and later assigned matching CVEs when found in vLLM, TensorRT-LLM, and Modular Max Server. All affected vendors have since released patched versions.

Why This Creates Systemic Risk for AI Infrastructure

The compromised inference servers sit at the core of enterprise AI deployments, running models, processing prompts, and handling sensitive customer workloads. Oligo reported finding thousands of publicly exposed ZeroMQ sockets, including some linked to GPU clusters used for commercial AI services. With access to these endpoints, attackers could potentially execute arbitrary code, steal model weights, deploy GPU-based cryptominers, or pivot deeper into an organization’s cloud environment. The issue is particularly concerning because frameworks such as SGLang are used by leading companies including Intel, AMD, Oracle Cloud, xAI, LinkedIn, and major hyperscalers. Security analysts warn that the widespread reliance on interoperable AI components amplifies supply-chain risk, making a single copied flaw capable of impacting the entire downstream ecosystem.

ADVERTISEMENT

Vendor Response and Recommended Mitigations

Meta fixed its implementation by replacing pickle deserialization with JSON-based alternatives in Llama Stack v0.0.41. Nvidia patched TensorRT-LLM in version 0.18.2, while vLLM addressed the issue in version 0.8.0 and Modular resolved it in Max Server v25.6. Oligo recommends immediate upgrades to these patched releases to prevent exploitation. Additional guidance includes eliminating pickle for untrusted data, enforcing HMAC or TLS authentication on ZeroMQ communication channels, and educating development teams on the risks of reusing insecure code. Researchers caution that the incident demonstrates how quickly vulnerabilities can propagate when teams replicate design patterns without verifying their security properties. As AI deployment accelerates across industries, securing inference layers is becoming a top priority for enterprises seeking to protect models, workloads, and infrastructure.

Tags: AI securitycybersecurityMetaMicrosoftNvidiaSGLangShadowMQvLLMZeroMQ
Share2Tweet1SendShareSharePinShareShare
Google Add as a Preferred Source on Google
Previous Post

Nvidia Helped Ignite the AI Boom — Its Next Earnings Could Decide Whether the Rally Returns

Next Post

adminbolt Beta Launches to Give Hosting Providers Control and New Revenue Streams

NyongesaSande News Desk

NyongesaSande News Desk

Nyongesa Sande offers diverse content across news, technology, entertainment, and more, aiming to provide readers with a wide range of informative and engaging articles. NYONGESA SANDE's dedicated team provides our audience not only with the highly relevant news but also with outstanding interactive experience.

Related Posts

Qakbot Returns in Fake CAPTCHA Malware Campaign
Cybersecurity

Qakbot Returns in Fake CAPTCHA Malware Campaign

4 weeks ago
How Biometric Login Is Making Digital Life Easier in Kenya
Cybersecurity

How Biometric Login Is Making Digital Life Easier in Kenya

3 months ago
How To Spot a Cybersecurity Issue Before a Breach
Cybersecurity

How To Spot a Cybersecurity Issue Before a Breach

8 months ago
White Power Worldwide Cyberattack Disrupts Kenya Ministries
Cybersecurity

White Power Worldwide Cyberattack Disrupts Kenya Ministries

8 months ago
Safaricom Cuts Enterprise Cyberattacks by 90% with New Security Tools
Cybersecurity

Safaricom Cuts Enterprise Cyberattacks by 90% with New Security Tools

8 months ago
Best Cybersecurity Solutions for SMBs
Cybersecurity

How to Identify Phishing and Scam Links on Social Media

11 months ago
Load More
Next Post
adminbolt Beta Launches to Give Hosting Providers Control and New Revenue Streams

adminbolt Beta Launches to Give Hosting Providers Control and New Revenue Streams

CVC Acquires Majority Stake in Namecheap for $1.5 Billion

ADVERTISEMENT

Who We Are

Nyongesa Sande

NyongesaSande.com is a digital news and media platform covering breaking news, business, technology, AI, politics, sports, world affairs and African innovation.

Our Brands

  • YouTube
  • Forums
  • Law Archive
  • Sandes Kitchen

News Sections

  • News
    • World
    • Africa
  • Politics
  • Business
  • Tech
  • AI
  • Telecom
  • Sports
  • Opinion
  • Lifestyle
  • Live
  • World Cup 2026
    • World Cup 2026 Standings
    • World Cup 2026

Editorial Standards

  • Editorial Policy
  • Fact Checking Policy
  • Corrections Policy
  • Ethics Policy
  • AI Usage Policy
  • News Tips
  • Submit Press Release

Legal

  • Privacy Policy
  • Terms of Use
  • Cookie Policy
  • Risk Disclaimer
  • Disclaimer
  • DMCA
  • Ad Choices
  • YouTube

Our Company

  • About Us
    • Nyosake Designers
      • Nyosake Webmasters
      • Nyosake Investment
  • Contact Us
    • Newsroom Contact
  • Ownership Disclosure
  • Advertise
  • Privacy Policy
  • Terms of Use
  • Cookie Policy
  • Risk Disclaimer
  • Disclaimer
  • DMCA
  • Ad Choices
  • YouTube

NyongesaSande.com is an independent digital news and media platform covering Africa, business, technology, AI, politics and global developments.

© 2026 NyongesaSande.com. All rights reserved.

No Result
View All Result
  • News
    • World
    • Africa
  • Politics
  • Business
  • Tech
  • AI
  • Telecom
  • Sports
  • Opinion
  • Lifestyle
  • Live
  • World Cup 2026
    • World Cup 2026 Standings
    • World Cup 2026

NyongesaSande.com is an independent digital news and media platform covering Africa, business, technology, AI, politics and global developments.

© 2026 NyongesaSande.com. All rights reserved.