Critical 9.8 CVSS Vulnerability in sentence-transformers 2.7.0 Exposes AI Projects

A critical security scan has exposed 58 vulnerabilities within the popular `sentence-transformers-2.7.0` Python library, with the highest severity flaw scoring a maximum 9.8 on the CVSS scale. This discovery directly impacts AI and machine learning projects relying on this library for multilingual text embeddings, revealing a significant supply chain risk. The findings were generated by a Mend security scanner, with partial results displayed due to GitHub's size limitations, indicating the scope of the issue is substantial.

The vulnerable library was detected in a dependency file for an AI image search project, specifically at `/examples/ai/image_search/.ws-temp-ONMJFG-requirements.txt`. The installed package resides in a Poetry-managed virtual environment. Among the listed findings is CVE-2025-32434, a critical vulnerability with a 9.8 CVSS score affecting the `torch-2.0.1` dependency. The exploit maturity for this flaw is currently 'Not Defined,' and its EPSS score is 1.2%, suggesting a lower probability of immediate exploitation but an extremely high potential impact if successfully leveraged.

This cluster of vulnerabilities places any application using this specific version of `sentence-transformers` at severe risk. The high number of findings and the presence of a maximum-severity CVE indicate deep-seated security issues within the dependency chain. Developers and organizations utilizing this library for embedding tasks must urgently review their dependencies, assess the reachability of these flaws in their code, and apply available remediations to mitigate potential remote code execution or data compromise.