Hunting Vulnerability Variants in AI Infra: Measurement and Reference-Driven Detection

TL;DR

This study analyzes the prevalence of vulnerability variants in AI infrastructure repositories and introduces INFRASCOPE, a framework for detecting such variants to improve security.

Contribution

The paper provides the first measurement of vulnerability variants in AI infra and proposes INFRASCOPE for automatic detection based on known disclosures.

Findings

AI infra projects often share vulnerable patterns and functionality.

INFRASCOPE successfully identified over 20 vulnerabilities in real-world repositories.

The framework uncovered 11 acknowledged vulnerabilities and 4 CVE-assigned cases.

Abstract

AI infra has become a shared execution layer for model training, deployment, and agent orchestration. Because many projects reimplement similar model-centric workflows, a vulnerability disclosed in one repository can recur as a variant in another repository with a related design. Yet the prevalence and detectability of these variants remain poorly understood. This paper presents a measurement study of vulnerability variants in AI infra. Analyzing 688 GitHub repositories and 251 publicly disclosed vulnerabilities, we find that AI infra projects frequently share overlapping functionality and recurrent vulnerable patterns, creating a concrete basis for cross-repository variants. Building on this finding, we study how to automatically identify such variants from known disclosures. We propose INFRASCOPE, a reference-driven multi-agent framework that extracts transferable vulnerability semantics from known cases and uses them to locate and validate variants in new repositories. Evaluating INFRASCOPE on 20 real-world AI infra repositories, we uncover over 20 vulnerabilities, including 11 acknowledged cases and 4 cases that have been assigned CVEs so far.