I Found 5 Security Vulnerabilities in XGBoost. Here's What Happened

XGBoost is one of the most important libraries in machine learning. 26,000+ GitHub stars. Used by banks for fraud detection, insurance companies for risk modeling, tech companies for ranking systems, and pretty much every competitive ML team on Kaggle. If you've done production ML in the last decade, chances are XGBoost is somewhere in your stack. I decided to audit it. What I found were 5 distinct vulnerabilities spanning memory safety in C++, unsafe deserialization in Python, a concurrency bug in the model loader, and a fundamentally broken authentication scheme in the distributed.