Researchers reveal RCE flaws in AI inference engines and Cursor IDE from unsafe code reuse.

The Tidyverse Blog offers insights, tutorials, and updates on the Tidyverse, a collection of R packages for data science and statistical computing. Covering topics such as data manipulation, visualization, and analysis, the blog provides resources for R developers looking to leverage the power of the Tidyverse for their data projects. Developers can learn how to use Tidyverse packages effectively to clean, transform, and analyze data in R.

The Hacker News

Critical remote code execution vulnerabilities have been discovered in major AI inference engines from Meta, Nvidia, Microsoft, and open-source projects like vLLM and SGLang. The flaws stem from unsafe deserialization of Python's pickle module over ZeroMQ sockets, a pattern called ShadowMQ that spread through code reuse across projects. Attackers could exploit these vulnerabilities to execute arbitrary code, steal models, or deploy malware on AI infrastructure clusters. Most vendors have patched the issues, though some remain unresolved. Separately, researchers found JavaScript injection vulnerabilities in Cursor IDE that could compromise developer workstations through malicious MCP servers or extensions.

Researchers Find Serious AI Bugs Exposing Meta, Nvidia, and Microsoft Inference Frameworks