Google Big Sleep AI agent surfaces an imminently-exploited SQLite flaw (CVE-2025-6965)
Disclosed vulnerability15 Jul 2025On 15 July 2025 Google announced that its LLM-assisted vulnerability-research agent, Big Sleep (a collaboration between Google DeepMind and Google Project Zero), had discovered CVE-2025-6965 in the SQLite database engine. Per NVD/SQLite, the flaw affects SQLite versions before 3.50.2: when the number of aggregate terms can exceed the number of available columns, an attacker who can inject arbitrary SQL may trigger a numeric-truncation/integer-overflow leading to a memory-corruption (out-of-bounds read) condition; it is fixed in 3.50.2. Google describes it as a critical issue that, in its words, 'was known only to threat actors and was at risk of being exploited.' Notably, Google credits the *combination* of Google Threat Intelligence and Big Sleep — not the agent alone — with predicting that the vulnerability was imminently going to be used and cutting it off beforehand; Google states 'we believe this is the first time an AI agent has been used to directly foil efforts to exploit a vulnerability in the wild.' All of these characterisations (the threat-actor knowledge, the imminent-exploitation prediction, and the 'first time' claim) are Google's own assessment and have not been independently confirmed. Severity is contested: Google scored it CVSS 4.0 = 7.2 (High) while NVD lists a CVSS 3.1 base score of 9.8 (Critical). The case illustrates dual-use agentic-AI capability uplift on the *defensive* side — autonomous vulnerability discovery used to pre-empt exploitation — the complement of attacker-side autonomous-offensive use seen in the GTG-1002 case.
Risks it illustrates
Sources
- Google's latest AI security announcements (Big Sleep / CVE-2025-6965) — The Keyword, Google (Jul 15 2025) ↗
- NVD — CVE-2025-6965 Detail (NIST National Vulnerability Database) ↗
- Google AI 'Big Sleep' Stops Exploitation of Critical SQLite Vulnerability Before Hackers Act — The Hacker News ↗
- Google says 'Big Sleep' AI tool found bug hackers planned to use — The Record (Recorded Future News) ↗
Practise the risk class — related scenarios
Interactive simulations of the risk class this case illustrates (not a re-enactment of this specific event).
Compromise the pipeline that builds agents, and every new worker is born malicious
A cost-saving open-weights swap quietly ships a model with its safety surgically removed
A capable third-party model that behaves perfectly — until it sees the trigger
A trusted MCP email tool quietly BCCs every message to an attacker