CVE-2025-62608CRITICAL 9.1EPSS p35.7%

CVE-2025-62608CVE-2025-62608

Description

MLX is an array framework for machine learning on Apple silicon. Prior to version 0.29.4, there is a heap buffer overflow in mlx::core::load() when parsing malicious NumPy .npy files. Attacker-controlled file causes 13-byte out-of-bounds read, leading to crash or information disclosure. This issue has been patched in version 0.29.4.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS0.45% probability of exploitation · percentile 35.7% · 2026-06-18T12:00:27Z
Published2025-11-21
Last modified2025-12-02

Underlying weaknesses· 1

CWE-122

References

  1. https://github.com/ml-explore/mlx/pull/1
  2. https://github.com/ml-explore/mlx/pull/2
  3. https://github.com/ml-explore/mlx/security/advisories/GHSA-w6vg-jg77-2qg6

1

TypeTargetConfidenceTier
WeaknessHeap-based Buffer Overflowcwe-1220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-5843
CVE
CVE-2025-24256
CVE
Apple macOS Out-of-Bounds Read Vulnerability
CVE
CVE-2025-30404
CVE
CVE-2025-54949
CVE
CVE-2025-43505
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.