Moderate severityNVD Advisory· Published Nov 21, 2025· Updated Nov 21, 2025

MLX has heap-buffer-overflow in load()

CVE-2025-62608

Description

MLX is an array framework for machine learning on Apple silicon. Prior to version 0.29.4, there is a heap buffer overflow in mlx::core::load() when parsing malicious NumPy .npy files. Attacker-controlled file causes 13-byte out-of-bounds read, leading to crash or information disclosure. This issue has been patched in version 0.29.4.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
mlxPyPI	< 0.29.4	0.29.4

Affected products

ml-explore/mlxv5
Range: < 0.29.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-w6vg-jg77-2qg6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-62608ghsaADVISORY
github.com/ml-explore/mlx/pull/1ghsax_refsource_MISCWEB
github.com/ml-explore/mlx/pull/2ghsax_refsource_MISCWEB
github.com/ml-explore/mlx/security/advisories/GHSA-w6vg-jg77-2qg6ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000