State of AI Vulnerability 2025
The Reality of AI Vulnerabilities: What the Data Actually Says
There is no shortage of bold claims when it comes to the risks of adopting AI. Industry headlines and vendor white papers often describe AI as a security minefield, warning of rising vulnerabilities and unchecked exposure. However, much of this narrative is built on hearsay and selective framing, rather than grounded fact.
One notable example comes from Wallarm, an API security company that reported over 400 AI-related vulnerabilities in 2024. At first glance, this number seems alarming. But a closer look reveals that the report defines almost any API-adjacent issue as an “AI vulnerability,” regardless of whether it involved a model, framework, or AI-specific behavior. In effect, the report reflects the company’s marketing priorities more than the true state of AI security.
So what is really happening? How many verified vulnerabilities are there in AI systems, and what can they tell us about the actual risks? In this post, we take a clear look at published CVE data from the past two years. The results show that while AI-specific vulnerabilities do exist, their number remains relatively small. More importantly, we are beginning to see consistent patterns in where these issues appear and how they manifest.
Start with the Facts: What the CVEs Tell Us
To understand the real risks of AI adoption, we need to begin with verifiable data. In the cybersecurity world, that means looking at CVEs. The Common Vulnerabilities and Exposures database maintained by the National Institute of Standards and Technology (NIST) is the industry-standard repository for tracking known vulnerabilities. It provides the most consistent way to evaluate how security issues appear over time.
When we query the National Vulnerability Database (NVD) specifically for CVEs involving AI frameworks and their implementations, not just secondary tooling, we find that the actual number of confirmed vulnerabilities is surprisingly small. Although a few edge cases involve secondary platforms like WordPress plugins that integrate AI features, the bulk of AI-specific vulnerabilities fall within a narrow category.
In 2024, only four AI-related CVEs were recorded. All of them involved prompt injection. In 2025, the number has grown to thirteen so far, including a recent example involving the Cursor IDE. This slow growth tells us two things. First, that AI security issues are still emerging. Second, that we are beginning to see the early patterns that define this new category of risk.
The most prominent of these patterns is prompt injection. This makes sense when you consider how modern large language models (LLMs) work. At their core, they process only one type of input: the prompt, which is just a plain string of text. That string is the entire instruction set the model receives. In newer architectures, this prompt may also include authenticated access to outside data sources through technologies like Model Context Protocol (MCP). For example, OpenAI models may use MCP to connect with tools like Bing to perform live web searches.
What this means is that the attack surface is the prompt itself. And right now, prompt injection remains the most common and widely exploitable vulnerability in AI systems. The technique involves crafting input that changes the AI’s behavior or causes it to take unintended actions, often by overriding or redirecting its original instructions.
Once we remove prompt injection from the picture, we are left with a small set of vulnerabilities. Of the thirteen confirmed AI-related CVEs so far in 2025, only three involved prompt injection. In 2024, all four recorded AI vulnerabilities were prompt injection cases. These numbers are far smaller than some vendor reports suggest. The discrepancy lies in how vulnerabilities are classified. Some companies label anything that touches an AI system as an AI vulnerability, even when the flaw is unrelated to model logic or behavior.
So where do the remaining issues come from, if not from the prompt? This is the critical shift we are beginning to observe. As AI systems mature, the vulnerabilities are increasingly found in the infrastructure that supports and delivers the AI. It is not always the model that is compromised. Instead, the surrounding systems—file handling, authentication layers, container environments, and plugin integrations—are becoming the real points of failure. This shift suggests that future AI security must focus not just on what the model says, but on how it is embedded and exposed through software, APIs, and user interfaces.
Man-in-the-Prompt
When we talk about vulnerabilities in AI infrastructure, we are referring to the systems responsible for handling and transforming data before it ever reaches the model. This is where much of the real risk lies. While the LLM itself may be isolated or constrained, the infrastructure that prepares the data is often the weakest point.
Standards like ISO/IEC 42001 emphasize the need for guardrails on both data inputs and outputs. This is especially important because the data flowing into AI systems is often uncontrolled. It may be unstructured, unpredictable, or even adversarial. Allowing uncontrolled data into a system is one of the most dangerous aspects in computing. Every possible way that data could behave maliciously must be accounted for, which is a difficult and evolving challenge.
The vulnerabilities we are now seeing in AI deployments often emerge during the process of preparing that input. This is being called, "Man-in-the-Prompt".Before the LLM sees a prompt, the system might be converting files, extracting content, resolving ambiguities, or sanitizing text. Each of these steps introduces risk. If these preprocessing stages are not hardened, they can become an attack vector themselves.
Man in the Prompt focuses on:
- The preprocessing and infrastructure layers,
- The attack surfaces outside the model, and
- The injection points that are not user-facing but systemic.
For example, consider a common prompt injection case where a student embeds hidden instructions into a PDF file in order to manipulate grading. Before a professor submits that file to an LLM for evaluation, the system must unpack the document. That process should include safeguards to detect and filter out hidden or malicious prompt. It may also need to normalize the language, remove ambiguous phrases, or clean up formatting. Without these steps, raw input can be passed directly to the model, making prompt injection almost inevitable.
This is where several of the recent vulnerabilities have appeared. In some cases, systems unpack files using insecure deserialization methods, opening the door to remote code execution. In others, a container-based runtime fails to isolate the processing environment, allowing an attacker to escape the virtualized layer and access the host system. One vulnerability even occurred in the user interface, where a poorly sanitized chat input allowed for a cross-site scripting (XSS) attack.
These are traditional forms of exploitation, but they are now occurring at the boundary between the AI model and the systems that prepare or display its data. The attack surface is not limited to the model. It includes every stage of data processing, every interface that touches AI output, and every tool that bridges user input with model inference.
Conclusion
Prompt injection remains one of the most important security concerns in AI today. It introduces the risk of data leakage, system manipulation, and unauthorized access to connected services. As more organizations adopt LLMs, the risk extends beyond the model itself. The infrastructure that delivers prompts and handles responses is just as critical and often less protected.
While LLM developers are primarily focused on improving the quality and fluency of model output, the security posture of these systems has not kept pace. As a result, we are beginning to see vulnerabilities emerge not only in the models, but also in the pipelines that feed them data and display their responses.
Looking ahead, this trend is likely to continue. The rapid rise of AI-enhanced applications, low-code integrations, and lightweight plugins often prioritizes functionality over security. We can expect to see attacks targeting all three layers: the prompt, the model, and the infrastructure that surrounds it. For security teams and AI builders, the message is clear. The attack surface is growing, and defensive architecture needs to grow with it.
The Details
The following is a summary of vulnerability by class for 2025:
| Category | Count | Examples | Notes |
|---|---|---|---|
| Remote Code Execution (RCE) | 4 | CVE-2025-0140, 27520, 3248, 23266 | Often via unsafe deserialization or container abuse |
| Prompt Injection / Logic Abuse | 3 | CVE-2025-32711, 54132, 32018 | Prompt-level manipulation, mostly logic flaws |
| Access Control Issues | 3 | CVE-2025-51867, 5071, 23359 | Includes IDOR, missing capability checks |
| File / Path Handling | 2 | CVE-2025-54381, 32018 | Path traversal, SSRF via file upload |
| UI/Script Injection (XSS) | 1 | CVE-2025-5570 | Stored XSS in chatbot interface |
| Denial of Service (DoS) | 1 | CVE-2025-6398 | Null pointer dereference in an AI support tool |
2025 AI CVE List:
| CVE ID | Product / Vendor | Vulnerability Type |
|---|---|---|
| CVE‑2025‑23266 | NVIDIA Container Toolkit | Container escape / privilege escalation |
| CVE‑2025‑0132 & CVE‑2025‑23359 | NVIDIA Toolkit | Container escape bypass |
| CVE‑2025‑0140 | NVIDIA RAPIDS (cuDF/cuML) | Insecure deserialization / RCE |
| CVE‑2025‑32711 | Microsoft 365 Copilot | AI command/prompt injection |
| CVE‑2025‑32018 | Cursor AI Editor | Prompt-influenced path traversal |
| CVE‑2025‑54132 | Cursor AI Editor | Embedded prompt injection via content |
| CVE‑2025‑3248 | Langflow | API code injection |
| CVE‑2025‑51867 | Deepfiction AI | IDOR / cross-account abuse |
| CVE‑2025‑5071 | AI Engine WP plugin v2.8.x | Missing auth / MCP misuse |
| CVE‑2025‑5570 | AI Engine WP plugin v2.8.x | Stored XSS in chatbot UI |
| CVE‑2025‑27520 | BentoML (v1.4.2) | Unsafe deserialization / RCE |
| CVE‑2025‑54381 | BentoML (v1.4.0–1.4.19) | SSRF via file upload |
| CVE‑2025‑6398 | ASUS AI Suite 3 | Null pointer crash (DoS) |
2024 list
| CVE ID | Affected Product / Library | Vulnerability Type |
|---|---|---|
| CVE‑2024‑8309 | LangChain (GraphCypherQAChain) | Prompt-injection → SQL injection |
| CVE‑2024‑5565 | Vanna.AI (text‑to‑SQL model) | Prompt injection → RCE |
| CVE‑2024‑12366 | PandasAI | Prompt injection → RCE |
| CVE‑2024‑48919 | Cursor AI Editor | Prompt injection via i |
