Avi Lumelsky

Security Researcher · Software Architect

Security researcher at Oligo Security, focused on AI infrastructure and open-source software. Previously at Deci AI (acquired by NVIDIA), working on inference acceleration and model architecture optimization across hardware and software stacks. I enjoy runtime challenges on both sides: optimizing ML pipelines for low latency or high throughput, building eBPF-based security tooling, identifying overlooked attack vectors, and finding exploitable bugs in software that most of the industry relies on.

Speaker at Black Hat USA & Asia · DEF CON · BlueHat · CNCF · AppSec Village · BSides · THOTCON · OWASP · AI Summit · PyCon

GitHub LinkedIn Medium X/Twitter

Research & Work

Feb 2026

Docling Core RCE

CVE: CVE-2026-24009 - RCE via unsafe PyYAML deserialization in IBM's Docling document processing library (CVSS 8.1)
Blog: Docling RCE: A Shadow Vulnerability Introduced via PyYAML
References: [NVD] [GitHub Issue]

Nov 2025

ShadowRay 2.0 - AI Attacks AI: Self-Propagating Botnet Campaign

Discovery: Active global campaign exploiting CVE-2023-48022 in Ray to hijack AI compute clusters into a self-replicating botnet - the first documented use of AI infrastructure to autonomously attack other AI infrastructure
Scale: 230,000+ Ray servers exposed globally (10× the original ShadowRay discovery); active since at least September 2024
Sophistication: DevOps-style delivery via GitLab/GitHub, LLM-generated payloads, CPU throttling at ~60% to avoid detection, processes disguised as kernel workers
Blog: ShadowRay 2.0: Attackers Turn AI Against Itself in Global Campaign
Coverage: [Forbes] [Dark Reading]
Demo: Live RCE demo

2024–2025

ShadowMQ - Systemic RCE Across AI Inference Frameworks

Insecure ZeroMQ + pickle deserialization reused across the AI ecosystem, affecting Meta, NVIDIA, Modular, vLLM, and others
CVE-2025-60455: RCE in Modular Max Server
CVE-2025-30165: RCE in vLLM
CVE-2025-23254: RCE in NVIDIA TensorRT-LLM [CybersecurityNews]
CVE-2024-50050: RCE in Meta llama-stack [The Hacker News]
Blog: ShadowMQ: How Code Reuse Spread Critical Vulnerabilities Across the AI Ecosystem

2025

Airborne - Wormable Zero-Click RCE in AirPlay

Critical wormable zero-click RCE in Apple's AirPlay protocol. No user interaction required. Affects iPhones, iPads, Macs, Apple TVs, HomePods, and millions of third-party IoT devices
Talk: A Worm in the Apple: Wormable Zero-Click RCE in AirPlay (w/ Uri Katz, Gal Elbaz) - Black Hat USA 2025
Blog: Airborne: Wormable Zero-Click RCE in AirPlay Protocol [Wired]
Checker: Test your device for AirPlay vulnerability

2025

Pwn My Ride - CarPlay Attack Surface & Jailbreaking

Security analysis of Apple CarPlay revealing attack vectors that enable car jailbreaking and vehicle system access via infotainment interfaces
Talk: Pwn My Ride: Jailbreaking Cars with CarPlay - DEF CON 33 / AppSec Village 2025
Blog: Pwn My Ride: Exploring the CarPlay Attack Surface [Wired]

2025

React & Next.js Critical RCE

CVEs: CVE-2025-55182 & CVE-2025-66478 - critical RCE in the world's most widely used frontend framework (w/ Gal Elbaz, Uri Katz)

2025

OpenAI Codex Supply Chain Research

2025

Application Attack Matrix

The Application Attack Matrix: Mapping the Modern Cloud Application Threat Landscape [CyberScoop] [Blog]

2025

Anthropic MCP Inspector RCE

CVE: CVE-2025-49596 - RCE in Anthropic MCP Inspector [The Hacker News]
Exposed API Tokens in .cursor/mcp.json Files

2024–2025

0.0.0.0 Day

Talks: BlueHat IL 2025 · DEF CON 32 / AppSec Village 2024
Blog: 0.0.0.0 Day: Exploiting Localhost APIs From the Browser
Demo: Live RCE demo (THOTCON)
Related: Identify Website Users By Client Port Scanning Using WebAssembly and Go (2021)

2025

Shadow Vulnerabilities in AI

Talk: Shadow Vulnerabilities in AI/ML Data Stacks - CNCF
Blog: Shadow Vulnerabilities in AI: The Hidden Perils Beyond CVEs

2024

Ollama Vulnerabilities

CVEs: CVE-2024-39719/20/21/22
Blog: More Models, More ProbLLMs [The Hacker News]

2024

ShadowRay - First Known Attack Campaign on AI Infrastructure

Campaign: MITRE ATT&CK C0045 - first attack campaign targeting AI workloads identified in the wild
Blog: ShadowRay: First Known Attack Campaign Targeting AI Workloads [Forbes]
Checker: Test your Ray cluster for vulnerabilities
Demo: Live RCE demo (THOTCON)

2024

Shining a Light on Shadow Vulnerabilities

Foundational research defining the shadow vulnerability class - real, exploitable risks that exist at runtime but are invisible to static analysis and dependency scanners
Blog: Shining a Light on Shadow Vulnerabilities (w/ Gal Elbaz)

2024

TensorFlow Keras Downgrade Attack

Discovered a bypass for CVE-2024-3660 that forces Keras model files to load with a downgraded, vulnerable version of TensorFlow - enabling RCE even on patched systems through a dependency confusion path
Blog: CVE-2024-3660 Bypass: TensorFlow Keras Downgrade Attack

2023–2025

eBPF Runtime Security

Podcast: Interview: AI Security Researcher at Oligo Security - eBPFChirp FM (Oct 2025)
Talk: Scaling Runtime Application Security with eBPF - BSides Budapest 2024
Talk: Secimport: Tailor-Made eBPF Sandbox for Python Applications - PyCon Israel 2024
Talk: Discovering Shadow Vulnerabilities via Reverse-Fuzzing - AppSec Village 2023 / OWASP Global 2023
Blogs: App-Level eBPF Applications · Secure PyTorch Models with eBPF · Secure FastAPI with eBPF

2023

ShellTorch - PyTorch TorchServe RCE

Multiple critical vulnerabilities (CVSS 9.9, 9.8) in TorchServe, PyTorch's production model serving framework used by Amazon, Google, and Microsoft. Vulnerabilities allowed unauthenticated remote code execution via SSRF and unsafe deserialization, affecting any publicly exposed TorchServe instance
Talk: ShellTorch: The Next Evolution in *4Shell Executions - CNCF
Blog: ShellTorch Explained: Multiple Vulnerabilities in PyTorch Model Server

2024

Building LLM Agents with Minimal Dependencies

Talk: Agent with Minimal Dependencies - LangTalks Webinar 2024
Code: github.com/avilum/agent - a working agent loop in ~100 lines, no framework required

2020–2022

Early Research

2020–2024

Deci AI → NVIDIA

Part of the founding team as Deep Learning Software Engineer → Software Architect. Worked on inference acceleration and model architecture optimization across hardware targets — NVIDIA GPUs, mobile (iOS/Android), Jetson, TPUs, CPUs, and browsers
Built research pipelines and orchestration infrastructure that enabled research at scale, including the automation layer for Neural Architecture Search (NAS) across any device and hardware stack
Deci acquired by NVIDIA in 2024
Writing: Infery: Deep Learning Inference in 3 Lines of Python

Writing

Projects & Tools

airplay-checker - browser tool to test AirPlay vulnerability exposure on your local network
uvify - converts Python repos into uv-managed environments automatically (87★)
ray-checker - browser tool to test whether a Ray cluster is exposed to CVE-2023-48022
yalla - fast CLI task runner and shell alias manager
agent - minimal LLM agent loop, ~100 lines, no framework dependencies
semantic-search - in-browser semantic search via TensorFlow.js, fully client-side
llama-saas - client/server for running LLaMA models as a local service (61★)
secimport - library-level eBPF sandbox for Python; syscall control per module (234★)
docker-download-anywhere - pull Docker images from registries in restricted environments
audio2text - batch audio transcription CLI built on Whisper
portsscan - web client port-scanner in Go/WASM; the research that led to 0.0.0.0 Day (156★)
jsafer - sandbox and safe eval for untrusted JavaScript
facebook-archive-analyzer - parses and visualizes the data export Facebook provides
waycup - hides web assets from automated security scanners (117★)
syscalls - Linux syscall reference for building eBPF policies
smart-url-fuzzer - context-aware URL fuzzer based on discovered application structure
linqit - LINQ-style list operations for Python (251★)

All projects: github.com/avilum