Is mlx affected by CVE-2025-62608?

PyPI mlx is affected in <0.29.4.

Is CVE-2025-62608 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.5%.

critical

CVE-2025-62608

Q: Is CVE-2025-62608 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.5%.

PyPI · mlx

Summary

MLX is an array framework for machine learning on Apple silicon. Prior to version 0.29.4, there is a heap buffer overflow in mlx::core::load() when parsing malicious NumPy .npy files. Attacker-controlled file causes 13-byte out-of-bounds read, leading to crash or information disclosure. This issue h

Severity: critical
EPSS: 0.5% (p36)
Also known as: GHSA-w6vg-jg77-2qg6, PYSEC-2025-138
Published: 2025-11-21

References

https://github.com/ml-explore/mlx/pull/1
https://github.com/ml-explore/mlx/pull/2
https://github.com/ml-explore/mlx/security/advisories/GHSA-w6vg-jg77-2qg6

Related advisories

CVE-2025-62609 — high · PyPI/mlx

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.