-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| mindsdb | pip | >= 23.10.2.0, <= 24.9.2.1 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from unsafe deserialization in the ModelWrapperUnsafe class' predict method. The HiddenLayer advisory explicitly shows this method uses pickle.loads(model_state) on user-controlled data from uploaded models. When BYOM engine is set to 'inhouse', this allows deserializing malicious payloads. The GitHub code link confirms the vulnerable pattern at lines 424-431 where model_state is loaded via pickle without validation. This matches CWE-502's pattern of unsafe deserialization of untrusted data.
A Semantic Attack on Google Gemini - Read the Latest Research