PYSEC-2025-138
See a problem?- Import Source
- https://github.com/pypa/advisory-database/blob/main/vulns/mlx/PYSEC-2025-138.yaml
- JSON Data
- https://api.osv.dev/v1/vulns/PYSEC-2025-138
- Aliases
- Published
- 2025-11-21T19:16:02.267Z
- Modified
- 2026-05-20T09:19:08.409674Z
- Severity
-
- 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
MLX is an array framework for machine learning on Apple silicon. Prior to version 0.29.4, there is a heap buffer overflow in mlx::core::load() when parsing malicious NumPy .npy files. Attacker-controlled file causes 13-byte out-of-bounds read, leading to crash or information disclosure. This issue has been patched in version 0.29.4.
- References
Affected packages
PyPI / mlx
Package
- Name
- mlx
- View open source insights on deps.dev
- Purl
- pkg:pypi/mlx
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.29.4
Affected versions
0.*
0.0.2
0.0.3
0.0.4
0.0.5
0.0.6
0.0.7
0.0.9
0.0.10
0.0.11
0.1.0
0.2.0
0.3.0
0.4.0
0.5.1
0.6.0
0.7.0
0.8.1
0.9.1
0.10.0
0.11.1
0.12.2
0.13.0
0.13.1
0.14.1
0.15.2
0.16.3
0.17.3
0.18.1
0.19.3
0.20.0
0.21.1
0.22.1
0.23.2
0.24.2
0.25.2
0.26.1
0.26.2
0.26.3
0.26.5
0.27.1
0.28.0
0.29.0
0.29.1
0.29.2
0.29.3