Security Risks Across the AI Application Stack: A Researcher’s Guide

Introduction

The modern AI application stack is being built on JavaScript and TypeScript. From large language model (LLM) orchestration to vector databases, from preprocessing pipelines to edge runtimes, enterprises are wiring AI directly into production systems at unprecedented speed. This stack is powerful, but it is not secure by default.

Application security teams must understand where the risks live. Attacks rarely target the model in isolation. They target the glue code, the runtimes, the frameworks, and the dependencies that stitch AI applications together. The AI stack is just another application stack—but one where immaturity, rapid adoption, and novel attack surfaces collide.

This series will dissect the AI application stack layer by layer, analyzing real-world security issues in the packages, frameworks, and runtimes that developers rely on today.

Mapping the AI Application Stack

The AI application stack can be broken into five layers, each with distinct security considerations.

1. Agent Frameworks

Frameworks such as LangChain, LangGraph, and CrewAI connect LLMs to external tools, APIs, and workflows. They enable automation but expose risks including prompt injection, tool exploitation, and API overreach.

2. Full-Stack Frameworks

Front-end and server-side frameworks such as Next.js (Vercel), React, Vue, and Angular power most enterprise AI applications. They inherit well-known issues like DOM clobbering, cross-site scripting, and dependency compromise.

3. Data Pipelines

Libraries such as TensorFlow.js, Transformers.js, and Hugging Face Datasets/Tokenizers.js handle preprocessing, inference, and embedding management. They introduce risks of poisoned models, dataset manipulation, and WASM runtime vulnerabilities.

4. Vector Databases

Backends such as Pinecone, Weaviate, and Milvus store embeddings and power semantic search. Security issues include data exfiltration through query abuse, metadata injection, and poisoning attacks.

5. Runtimes and Deployment Environments

Execution layers such as Node.js, Deno, and Bun support AI backends. Serverless and edge runtimes such as AWS Lambda, Vercel Edge Functions, and Cloudflare Workers introduce additional risks. Common issues include metadata credential theft, prototype pollution, build pipeline compromise, and misconfigured permissions.

Why Security Teams Need a Stack-Wide View

Security issues in AI applications are not isolated events. They chain across layers. A poisoned dataset ingested through Hugging Face may be embedded into Pinecone, retrieved by LangChain, and then exfiltrated through a Next.js API endpoint running on Vercel Edge. Each layer amplifies the next.

Traditional scanning tools are not designed for this context. They flag theoretical CVEs without proving whether they are exploitable in production. What matters is runtime exploitability: whether the vulnerability is reachable, whether it executes, and whether it can be chained with others.

What This Series Covers

This series will publish 8 posts on:

• Agent Frameworks: LangChain, LangGraph, CrewAI
• Model / LLM Integration SDKs: Vercel AI SDK, OpenAI SDK, Anthropic SDK
• Full-Stack Frameworks: Next.js, React, Vue, Angular
• Data Pipelines: TensorFlow.js, Transformers.js, Hugging Face Datasets/Tokenizers
• Vector Databases: Pinecone, Weaviate, Milvus
• Runtimes: Node.js, Deno, Bun
• Serverless/Edge: AWS Lambda, Vercel Edge Functions, Cloudflare Workers

Each post will document real-world security issues, provide MITRE ATT&CK mappings, and cite references for further research.

Conclusion

The AI application stack is becoming enterprise infrastructure. Its attack surface is broad, immature, and expanding. For security researchers and product security teams, the goal is not to treat AI as “special,” but to treat it as potentially vulnerable application code, because that is what it is.

This series will show how vulnerabilities propagate through the stack and provide a framework for defending AI applications in production.