CVE-2025-62609 MEDIUM

CVE-2025-62609: MLX has Wild Pointer Dereference in load_gguf()

Vendor Ml-Explore
Product mlx
Weakness CWE-476
Published November 21, 2025
Last update November 21, 2025

CVSS base score

5.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

MLX is an array framework for machine learning on Apple silicon. Prior to version 0.29.4, there is a segmentation fault in mlx::core::load_gguf() when loading malicious GGUF files. Untrusted pointer from external gguflib library is dereferenced without validation, causing application crash. This issue has been patched in version 0.29.4.

Key dates

02Disclosure timeline

November 21, 2025 CVE published
November 21, 2025 Record updated