Moderate severityNVD Advisory· Published Nov 21, 2025· Updated Nov 21, 2025
MLX has Wild Pointer Dereference in load_gguf()
CVE-2025-62609
Description
MLX is an array framework for machine learning on Apple silicon. Prior to version 0.29.4, there is a segmentation fault in mlx::core::load_gguf() when loading malicious GGUF files. Untrusted pointer from external gguflib library is dereferenced without validation, causing application crash. This issue has been patched in version 0.29.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mlxPyPI | < 0.29.4 | 0.29.4 |
Affected products
2- ml-explore/mlxv5Range: < 0.29.4
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-j842-xgm4-wf88ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-62609ghsaADVISORY
- github.com/ml-explore/mlx/security/advisories/GHSA-j842-xgm4-wf88ghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/mlx/PYSEC-2025-139.yamlghsaWEB
News mentions
0No linked articles in our index yet.