In March two CVEs were disclosed that should make you question the wisdom of trusting off‑the‑shelf AI frameworks. Spring AI was found to contain SQL injection and JSONPath injection flaws; a simple input validation error lets an attacker read request logs, conversation histories and user profiles as if they were an open book. ONNX is not immune: a vulnerability in onnx.hub.load bypasses model signature verification, allowing anyone to replace the .onnx file and force your system to execute malicious code.
The impact is far more serious than losing a few lines of code. GDPR and PCI DSS regulators are already prepared to levy multi‑million‑euro penalties for breaches that expose personal or financial data. Reputation damage will follow if you fail to mount a defense in time.
What CEOs need to do now: launch an independent audit of the entire AI stack without delay, formalize a vulnerability management process and create an isolated security perimeter for every project built on Spring AI and ONNX. If you ignore these steps, your AI investments will generate legal and financial firestorms rather than growth.