CVE-2025-2129
Published: 09 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-2129 is a problematic vulnerability in Mage AI version 0.9.75, stemming from insecure default initialization of a resource (CWE-1188). It affects an unknown part of the software and was published on 2025-03-09.
Remote attackers with no privileges required can initiate exploitation over the network, though it demands high attack complexity and is considered difficult to exploit. Successful attacks result in low impacts to confidentiality, integrity, and availability, per the CVSS 3.1 base score of 5.6 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).
Advisories note that the exploit has been publicly disclosed and may be usable, with references including a GitHub publication detailing the issue and VulDB entries. However, the vulnerability's real existence remains doubted, and after 7 months of researcher follow-ups, Mage AI has rejected it as a valid security issue and confirmed they will not address it. No patches or mitigations are planned.
Details
- CWE(s)
AI Security Analysis
- AI Category
- Other Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- Mage AI is an open-source platform for building data pipelines specifically designed for AI and ML workflows, fitting under 'Other Platforms' as it is not a framework, library, or specialized in NLP/CV/etc., but a broader AI data engineering platform.
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability allows remote exploitation of Mage AI, a public-facing web application/server software component, due to insecure default initialization of a resource.