top of page

The Self-Hosted AI Security Myth: Lessons from Jan AI's Vulnerabilities

  • Writer: ctsmithiii
    ctsmithiii
  • Apr 3
  • 3 min read

Self-hosted AI isn't inherently secure—new Snyk research reveals critical vulnerabilities in Jan AI that allow remote attackers to exploit local systems without authentication.


ree

Many organizations are turning to self-hosted AI models in the race to implement AI solutions while maintaining data privacy. Recent Andreessen Horowitz research indicates this trend is accelerating, with self-hosted AI adoption jumping from 42% to 75% year-over-year. However, a concerning new security report from Snyk Security Labs challenges the assumption that local deployment automatically equals better security.


The Jan AI Vulnerability Discovery

Snyk's research team recently uncovered several critical vulnerabilities in Cortex.cpp, the engine behind Jan AI—an open-source ChatGPT alternative developed by Menlo Research that runs entirely offline. Jan AI has gained popularity among developers and organizations seeking to maintain complete control over their AI infrastructure without relying on third-party cloud providers.


The discovered vulnerabilities expose a troubling reality: running AI locally doesn't inherently protect you from external threats. Among the critical issues identified were:


  1. Path Traversal Vulnerability: Attackers could write arbitrary files to a user's system through a simple exploit that bypasses Same-Origin Policy (SOP) protections.

  2. Out-of-Bounds Read Vulnerabilities: Flaws in the GGUF parser (which handles AI model files) allow attackers to access memory beyond intended boundaries.

  3. Missing CSRF Protection: The lack of Cross-Site Request Forgery protection means attackers can trigger state-changing actions on the local server from malicious websites.

  4. Command Injection: Perhaps most alarmingly, attackers could execute arbitrary code on the victim's system by manipulating the Python engine configuration.


The most concerning aspect is that these vulnerabilities could be exploited through a simple "drive-by" attack. A user merely needs to visit a malicious webpage while their local Jan AI instance is running to compromise their entire system potentially.


The Localhost Security Myth

This research exposes what Snyk calls the "localhost security myth"—the false assumption that locally running applications are inherently secure because they're not exposed to the Internet.


"Running applications locally might give a sense of privacy but isn't by itself secure," notes the Snyk report. "Like you wouldn't deploy a web application without proper authentication and basic security mechanisms, localhost should be treated the same—it's just another origin."


This is particularly relevant for organizations developing proprietary AI models or working with sensitive data. Local deployment can expose even more valuable assets than cloud solutions—including SSH keys, API tokens, and proprietary LLMs.


Implications for IT Professionals

For IT leaders and professionals implementing AI solutions, this research offers several critical takeaways:

  1. Audit All AI Infrastructure: All AI systems require thorough security reviews, whether cloud-based or self-hosted.

  2. Don't Assume Security by Default: Self-hosted solutions may prioritize functionality over security, especially in rapidly evolving open-source projects.

  3. Implement Additional Safeguards: Consider deploying local AI solutions behind properly configured reverse proxies that handle authentication and user management.

  4. Keep Systems Updated: Menlo Research has already patched the vulnerabilities (CVE-2025-2446, CVE-2025-2439, CVE-2025-2445, and CVE-2025-2447), underscoring the importance of applying updates promptly.

  5. Apply Web Application Security Best Practices: Traditional web security principles apply equally to modern AI applications.

Response from Menlo Research

Menlo Research, the creators of Jan AI, responded positively to Snyk's findings. Ramon Perez, Research Engineer at Menlo Research, stated: "We appreciate Snyk's contribution to the growing Local AI ecosystem. Their security research helps strengthen the entire open-source AI community."


The company highlighted that open-source transparency enabled "rapid identification and remediation of security concerns," positioning this as an advantage over closed-source solutions where vulnerabilities might remain undiscovered.


The Path Forward

As AI implementation continues to accelerate across industries, the Jan AI vulnerability discovery is a timely reminder that security cannot be an afterthought. Organizations must approach AI deployment with a security-first mindset, regardless of whether they choose cloud or local solutions.


The open-source AI community has demonstrated resilience through its swift response to these vulnerabilities. This collaborative approach to security strengthens the ecosystem, but users must remain vigilant and implement additional security layers rather than trusting that locality equals safety.


This research offers a valuable lesson for IT professionals navigating the complex landscape of AI deployment options: when it comes to security, there are no shortcuts—only thoughtful implementation of proven security principles.

 
 
 

© 2025 by Tom Smith

bottom of page