Heap Buffer Overflow Vulnerability in MLX Framework for Apple Silicon
CVE-2025-62608

5.5MEDIUM

Key Information:

Vendor

Ml-explore

Status
Mlx
Vendor
CVE Published:
21 November 2025

What is CVE-2025-62608?

The MLX framework, designed for machine learning on Apple silicon, is susceptible to a heap buffer overflow that occurs in the mlx::core::load() function when processing specially crafted NumPy .npy files. This vulnerability allows an attacker to manipulate the input file, resulting in a 13-byte out-of-bounds read. Exploiting this issue may cause the application to crash or potentially leak sensitive information. Users are strongly advised to upgrade to version 0.29.4 or later, where this security flaw has been addressed.

Affected Version(s)

mlx < 0.29.4

References

https://github.com/ml-explore/mlx/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/ml-explore/mlx/pull/1
x_refsource_MISC
https://github.com/ml-explore/mlx/pull/2
x_refsource_MISC

CVSS V4

Score:
5.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-62608 : Heap Buffer Overflow Vulnerability in MLX Framework for Apple Silicon