@blamejs/exceptd-skills 0.13.102 → 0.13.104

package/data/cve-catalog.json

@@ -9253,104 +9253,6 @@
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
     "_kev_short_description": "Aquasecurity Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credentials, database passwords, and any sensitive configuration in memory."
   },
-  "CVE-2026-33017": {
-    "name": "Langflow Code Injection Vulnerability",
-    "type": "RCE",
-    "cvss_score": 9.8,
-    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-    "cvss_note": "Operator estimate inferred from KEV vulnerabilityName + shortDescription classification (no per-CVE NVD lookup at bulk-import time). Refine via `exceptd refresh --advisory <CVE-ID> --apply` for NVD/GHSA/OSV enrichment.",
-    "cisa_kev": true,
-    "cisa_kev_date": "2026-03-25",
-    "cisa_kev_due_date": "2026-04-08",
-    "poc_available": true,
-    "poc_description": "KEV-listed actively-exploited vulnerability. CISA listing 2026-05 catalog version. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..",
-    "ai_discovered": false,
-    "ai_discovery_source": "unknown",
-    "ai_discovery_notes": "Bulk-imported KEV entry — AI-discovery provenance not surfaced in the KEV record. Refine via NVD/GHSA enrichment if researcher attribution names an AI tool.",
-    "ai_assisted_weaponization": false,
-    "ai_assisted_notes": "Bulk-imported KEV entry — weaponization-channel attribution not in KEV.",
-    "active_exploitation": "confirmed",
-    "active_exploitation_notes": "KEV listing is CISA's confirmed-exploitation attestation. The dateAdded is the formal KEV listing date; the actual in-wild observation may predate it by weeks.",
-    "affected": "Langflow Langflow — see vendor advisory linked in verification_sources for affected version ranges.",
-    "affected_versions": [
-      "Langflow Langflow — versions per vendor advisory"
-    ],
-    "vector": "Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication.",
-    "complexity": "moderate",
-    "complexity_notes": "Bulk-imported — exploitation complexity not extracted from KEV record. Treat as moderate-by-default; refine when researcher writeup published.",
-    "patch_available": true,
-    "patch_required_reboot": true,
-    "live_patch_available": false,
-    "live_patch_tools": [],
-    "live_patch_notes": "No live-patch tool registered for this entry at bulk-import time. Vendor patch typically requires service restart or system reboot per the KEV requiredAction.",
-    "vendor_update_paths": [
-      "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."
-    ],
-    "framework_control_gaps": {
-      "NIST-800-53-SI-2": "30-day flaw-remediation SLA inadequate for CISA-KEV-listed actively-exploited CVE. CISA due date is the operationally-meaningful clock — typically 14-21 days for new KEV listings.",
-      "ISO-27001-2022-A.8.8": "Vulnerability management standard does not differentiate between routinely-disclosed CVEs and actively-exploited KEV-listed CVEs. KEV listing collapses 'patch-cycle response' to 'incident-speed response'.",
-      "NIST-800-53-AC-6": "Least-privilege presumes a working authentication / authorization boundary. The KEV-listed exploit demonstrates the boundary is breakable from a baseline context."
-    },
-    "atlas_refs": [],
-    "attack_refs": [
-      "T1190"
-    ],
-    "rwep_score": 77,
-    "rwep_factors": {
-      "cisa_kev": 25,
-      "poc_available": 20,
-      "ai_factor": 0,
-      "active_exploitation": 20,
-      "blast_radius": 22,
-      "patch_available": -15,
-      "live_patch_available": 0,
-      "reboot_required": 5
-    },
-    "rwep_notes": "P1 — KEV-listed confirmed exploitation. blast_radius=22 (standard vendor-product scope). Bulk-imported via v0.13.17 KEV intake — score reflects KEV+PoC+active_exploitation contributions; refine factors when per-CVE research publishes.",
-    "epss_score": null,
-    "epss_date": "2026-05-18",
-    "epss_note": "EPSS not refreshed at bulk-import. Pull via FIRST EPSS API per-CVE in a future refresh.",
-    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-33017",
-    "cwe_refs": [
-      "CWE-94",
-      "CWE-95",
-      "CWE-306"
-    ],
-    "source_verified": "2026-05-18",
-    "verification_sources": [
-      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
-      "https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx",
-      "https://nvd.nist.gov/vuln/detail/CVE-2026-33017"
-    ],
-    "vendor_advisories": [
-      {
-        "vendor": "CISA KEV",
-        "advisory_id": "CVE-2026-33017",
-        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
-        "severity": "high",
-        "published_date": "2026-03-25"
-      },
-      {
-        "vendor": "Langflow",
-        "advisory_id": null,
-        "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx",
-        "severity": "high",
-        "published_date": "2026-03-25"
-      },
-      {
-        "vendor": "Langflow",
-        "advisory_id": null,
-        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33017",
-        "severity": "high",
-        "published_date": "2026-03-25"
-      }
-    ],
-    "last_updated": "2026-05-18",
-    "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-25; due date 2026-04-08. Notes reference: https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx ; https://nvd.nist.gov/vuln/detail/CVE-2026-33017",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication."
-  },
   "CVE-2025-34291": {
     "name": "Langflow Account Takeover + RCE (CORS / refresh-token chain)",
     "type": "RCE",
@@ -15913,6 +15815,444 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "PandasAI chat natural-language interface runs LLM-generated Python without separating malicious input, so prompt injection yields unauthenticated RCE / sandbox escape (CWE-94); no fixed release - enable the security agent + sandbox."
   },
+  "CVE-2025-3248": {
+    "name": "Langflow /api/v1/validate/code Unauthenticated Code Injection (CISA KEV)",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "VulnCheck (CNA) CVSS v3.1 base 9.8 (CRITICAL). The /api/v1/validate/code endpoint compiles and runs attacker-supplied Python with no authentication, so a crafted HTTP request runs arbitrary code on the host (CWE-94 + CWE-306).",
+    "cisa_kev": true,
+    "cisa_kev_date": "2025-05-05",
+    "cisa_kev_due_date": "2025-05-26",
+    "poc_available": true,
+    "poc_description": "VulnCheck published a working proof-of-concept and analysis; exploitation is a single unauthenticated POST to /api/v1/validate/code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via GitHub Security Advisory (https://github.com/advisories/GHSA-rvqx-wpfh-mfx7). The abused surface is a widely used visual LLM app/agent builder (Langflow).",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; an unauthenticated endpoint on an LLM app builder reaches a code-execution sink.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "CISA added CVE-2025-3248 to the Known Exploited Vulnerabilities catalog on 2025-05-05 (due 2025-05-26) - confirmed active exploitation. Mass scanning and botnet activity against internet-exposed Langflow instances was reported following VulnCheck's public proof-of-concept; Sysdig documented an end-to-end compromise of an exposed Langflow instance within hours.",
+    "affected": "Langflow before 1.3.0.",
+    "affected_versions": [
+      "Langflow < 1.3.0"
+    ],
+    "vector": "Langflow is a popular visual builder for LLM agents and flows. Before 1.3.0 its /api/v1/validate/code endpoint accepts code in an HTTP request and runs it through a Python compile-and-run path to 'validate' it, but the endpoint requires no authentication - so any remote attacker who can reach the server runs arbitrary code (CWE-94 code injection + CWE-306 missing authentication). VulnCheck published the analysis and PoC; CISA KEV-listed it.",
+    "complexity": "low",
+    "complexity_notes": "AV:N / AC:L / PR:N / UI:N - network-reachable, unauthenticated, no user interaction; a single crafted request to the validate-code endpoint runs code.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 1.3.0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Langflow to the latest release (1.3.0 closed this route; 1.9.0+ closes the sibling flow-build route in CVE-2026-33017). Do not expose Langflow to untrusted networks, place it behind authenticated reverse-proxy access control, and treat every flow validate/build/run endpoint as a code-execution surface."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-AC-3": "Access enforcement is missing on a code-execution endpoint - the flow validate/build path is reachable without authentication (CWE-306).",
+      "NIST-800-53-IA-2": "The LLM app builder does not authenticate callers before reaching a code-execution endpoint.",
+      "NIST-800-53-SI-3": "Malicious-code protection does not treat the app builder's code validate/build endpoint as an attacker-reachable execution channel.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: a public endpoint runs flow-supplied / submitted code through a compile-and-run path without sandboxing.",
+      "ISO-27001-2022-A.5.15": "Access control does not gate the LLM app builder's code-execution endpoints.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address running externally supplied code through a dynamic-execution sink on a public endpoint.",
+      "NIS2-Art21-identity-management": "Article 21 access-control measures do not reach the LLM app builder's unauthenticated execution endpoints.",
+      "DORA-Art-9": "ICT protection measures do not model an LLM app builder's public code endpoint as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for authenticating and sandboxing LLM app-builder execution endpoints.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM app builders.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats a visual LLM app/agent builder's flow validate/build endpoints as privileged execution surfaces that must authenticate and sandbox submitted code."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059",
+      "T1059.006"
+    ],
+    "rwep_score": 78,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Critical (RWEP 78, \"patch within 24 hours\" band per lib/scoring.js timeline). CISA KEV-listed (added 2025-05-05) and actively exploited: cisa_kev=25 + active_exploitation(confirmed)=20 + poc_available=20 + blast_radius=28, minus patch_available 15. The patch credit does not pull it out of the P1 band because real-world exploitation is confirmed. This is the first of two Langflow flow-execution endpoints KEV-listed for the same unauthenticated code-injection class - its sibling CVE-2026-33017 (the public flow-build endpoint, KEV 2026-03-25) also scores P1, which is the lesson: the first fix closed one route but not the class.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-3248",
+    "cwe_refs": [
+      "CWE-94",
+      "CWE-306"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Unauthenticated POST requests to /api/v1/validate/code carrying Python payloads (decorators, imports, or default-argument tricks that run at compile time).",
+        "Langflow process spawning shell, network, or file-system child processes from the code-validation path.",
+        "Internet-exposed Langflow ( /api/v1/validate/code reachable without auth) being scanned or hit by known PoC payloads."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-rvqx-wpfh-mfx7), VulnCheck's research (https://www.vulncheck.com/blog/langflow-rce), the CISA KEV listing, and CWE-94/CWE-306."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-3248",
+      "https://github.com/advisories/GHSA-rvqx-wpfh-mfx7",
+      "https://www.vulncheck.com/blog/langflow-rce",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-3248",
+        "url": "https://github.com/advisories/GHSA-rvqx-wpfh-mfx7",
+        "severity": "critical",
+        "published_date": "2025-06-17"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-3248",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3248",
+        "severity": "critical",
+        "published_date": "2025-06-17"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-rvqx-wpfh-mfx7, CWE-94/CWE-306) + NVD + VulnCheck (CNA, CVSS v3.1 9.8) + the CISA KEV listing (added 2025-05-05). Visual LLM app/agent-builder flaw (Langflow); shares the app-builder execution-endpoint control NEW-CTRL-103.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Langflow's /api/v1/validate/code endpoint runs attacker-supplied Python with no authentication (CWE-94/CWE-306), giving unauthenticated RCE; CISA KEV (added 2025-05-05, actively exploited), fixed in 1.3.0."
+  },
+  "CVE-2026-33017": {
+    "name": "Langflow Public Flow-Build Endpoint Unauthenticated Remote Code Execution (CISA KEV)",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 9.8 (CRITICAL); the GitHub (CNA) advisory rates it CVSS v4.0 9.3 (CRITICAL). The unauthenticated POST /api/v1/build_public_tmp/{flow_id}/flow endpoint accepts attacker-controlled flow data containing Python that runs through an unsandboxed dynamic-execution sink (CWE-94 / CWE-95 / CWE-306).",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-03-25",
+    "cisa_kev_due_date": "2026-04-08",
+    "poc_available": true,
+    "poc_description": "The advisory ships a full proof-of-concept: obtain a public flow id via AUTO_LOGIN, then POST attacker-controlled flow data with embedded Python to /api/v1/build_public_tmp/{flow_id}/flow; the advisory documents a confirmed end-to-end RCE.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via GitHub Security Advisory (https://github.com/advisories/GHSA-vwmf-pq79-vjvx). The abused surface is a widely used visual LLM app/agent builder (Langflow).",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; an unauthenticated endpoint on an LLM app builder reaches a code-execution sink.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "CISA added CVE-2026-33017 to the Known Exploited Vulnerabilities catalog on 2026-03-25 (due 2026-04-08) - confirmed active exploitation. This is the SECOND Langflow flow-execution endpoint to be KEV-listed: the CVE-2025-3248 fix (1.3.0) closed /api/v1/validate/code, but the public flow-build route remained an unauthenticated code-execution path and was itself exploited in the wild. A full proof-of-concept ships in the advisory.",
+    "affected": "Langflow through 1.8.2.",
+    "affected_versions": [
+      "Langflow <= 1.8.2"
+    ],
+    "vector": "After the CVE-2025-3248 fix, Langflow's public flow execution surface remained exploitable through a different route: the unauthenticated POST /api/v1/build_public_tmp/{flow_id}/flow endpoint accepts attacker-controlled flow definitions whose embedded Python runs through an unsandboxed dynamic-execution sink. A remote unauthenticated attacker reaches code execution again - the same code-injection class recurring on a new endpoint, and CISA KEV-listed a second time. Fixed in 1.9.0.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:N - the public flow-build endpoint is reachable unauthenticated and runs flow-supplied code.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 1.9.0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Langflow to 1.9.0 or later. Do not expose Langflow to untrusted networks; every public flow-build/validate/run endpoint must authenticate and must not run flow-supplied code unsandboxed - the 1.3.0 fix for CVE-2025-3248 did not cover this route."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-AC-3": "Access enforcement is missing on a code-execution endpoint - the flow validate/build path is reachable without authentication (CWE-306).",
+      "NIST-800-53-IA-2": "The LLM app builder does not authenticate callers before reaching a code-execution endpoint.",
+      "NIST-800-53-SI-3": "Malicious-code protection does not treat the app builder's code validate/build endpoint as an attacker-reachable execution channel.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: a public endpoint runs flow-supplied / submitted code through a compile-and-run path without sandboxing.",
+      "ISO-27001-2022-A.5.15": "Access control does not gate the LLM app builder's code-execution endpoints.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address running externally supplied code through a dynamic-execution sink on a public endpoint.",
+      "NIS2-Art21-identity-management": "Article 21 access-control measures do not reach the LLM app builder's unauthenticated execution endpoints.",
+      "DORA-Art-9": "ICT protection measures do not model an LLM app builder's public code endpoint as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for authenticating and sandboxing LLM app-builder execution endpoints.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM app builders.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats a visual LLM app/agent builder's flow validate/build endpoints as privileged execution surfaces that must authenticate and sandbox submitted code."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059",
+      "T1059.006"
+    ],
+    "rwep_score": 78,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Critical (RWEP 78, \"patch within 24 hours\" band per lib/scoring.js timeline). CISA KEV-listed (added 2026-03-25) and actively exploited: cisa_kev=25 + active_exploitation(confirmed)=20 + poc_available=20 + blast_radius=28, minus patch_available 15. The patch credit does not pull it out of the P1 band because real-world exploitation is confirmed. This is the second of two Langflow flow-execution endpoints KEV-listed for the same unauthenticated code-injection class - its sibling CVE-2025-3248 (the /api/v1/validate/code endpoint, KEV 2025-05-05) also scores P1, which is the lesson: the first fix closed one route but not the class.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-33017",
+    "cwe_refs": [
+      "CWE-94",
+      "CWE-95",
+      "CWE-306"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Unauthenticated POST requests to /api/v1/build_public_tmp/{flow_id}/flow carrying flow definitions with embedded Python / dynamic-evaluation payloads.",
+        "Langflow running flow-supplied Python that performs file, network, or process operations.",
+        "Langflow <= 1.8.2 with the public flow-build endpoint reachable without authentication - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-vwmf-pq79-vjvx), NVD CVE-2026-33017 (https://nvd.nist.gov/vuln/detail/CVE-2026-33017), the CISA KEV listing, and CWE-94/CWE-95/CWE-306."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-33017",
+      "https://github.com/advisories/GHSA-vwmf-pq79-vjvx",
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-33017",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2026-33017",
+        "url": "https://github.com/advisories/GHSA-vwmf-pq79-vjvx",
+        "severity": "critical",
+        "published_date": "2026-03-17"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-33017",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33017",
+        "severity": "critical",
+        "published_date": "2026-03-17"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-vwmf-pq79-vjvx, CWE-94/CWE-95/CWE-306) + NVD (CVSS v3.1 9.8; GitHub CNA CVSS v4.0 9.3) + the CISA KEV listing (added 2026-03-25). Visual LLM app/agent-builder flaw (Langflow); shares the app-builder execution-endpoint control NEW-CTRL-103.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Langflow's unauthenticated public flow-build endpoint runs flow-supplied Python through an unsandboxed dynamic-execution sink (CWE-94/CWE-95/CWE-306), giving unauthenticated RCE; CISA KEV (added 2026-03-25, actively exploited), fixed in 1.9.0."
+  },
+  "CVE-2024-24590": {
+    "name": "ClearML Client SDK Artifact Deserialization Remote Code Execution",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 8.8 (HIGH); HiddenLayer (CNA) rates it 8.0 (HIGH, PR:L). The ClearML client SDK deserializes a stored artifact through an unsafe Python object-deserialization path when a user retrieves it, so a maliciously uploaded artifact runs arbitrary code on the retrieving user's system (CWE-502).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "HiddenLayer published the analysis and attack chain (a malicious artifact runs code when a victim retrieves it).",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by HiddenLayer (https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/). The abused surface is a widely used MLOps / experiment-tracking platform (ClearML) - the AI supply-chain layer between data scientists.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is in how an MLOps platform handles uploaded experiment artifacts.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure with a documented attack chain; no confirmed in-the-wild exploitation reported as of curation. No fixed SDK version is published in the advisory, so users on the affected range remain exposed when retrieving untrusted artifacts.",
+    "affected": "ClearML client SDK 0.17.0 through 1.14.2.",
+    "affected_versions": [
+      "ClearML (pip) >= 0.17.0, <= 1.14.2"
+    ],
+    "vector": "ClearML is an MLOps / experiment-tracking platform. Its client SDK stores experiment artifacts and reconstructs them on retrieval using an unsafe Python object-deserialization routine. An attacker who can upload an artifact to a project a victim will open embeds a malicious serialized object; when the victim's SDK retrieves and interacts with that artifact, the object's deserialization runs attacker code on the victim's machine (CWE-502). Disclosed by HiddenLayer.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:R - network-delivered via an uploaded artifact, but requires the victim to retrieve/interact with it (UI:R). HiddenLayer's CNA vector marks PR:L (an account that can upload to the shared project).",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No fixed SDK version is listed in the advisory as of curation; mitigation is retrieving artifacts/datasets only from trusted projects and treating retrieved content as untrusted (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed ClearML SDK version is listed in the GitHub advisory or NVD as of curation (HiddenLayer states the issues were resolved with the vendor within the disclosure window, but no specific fixed version is published). Only retrieve artifacts/datasets from trusted ClearML projects, run the SDK with least privilege, and treat every retrieved artifact as untrusted until the deployed SDK version is confirmed to refuse unsafe deserialization."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "Input validation is not applied to an uploaded experiment artifact/dataset before the MLOps SDK deserializes it.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: the SDK auto-deserializes artifacts through an unsafe routine on retrieval.",
+      "NIST-800-53-SR-3": "Supply-chain controls do not treat MLOps experiment artifacts/datasets as untrusted third-party content delivered between collaborators.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address unsafe deserialization of stored artifacts in an MLOps SDK.",
+      "NIS2-Art21-supply-chain": "Supply-chain-security measures do not reach the MLOps platform as a channel that delivers executable artifacts between data scientists.",
+      "DORA-Art-9": "ICT protection measures do not model MLOps-artifact retrieval as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating MLOps artifacts/datasets before deserialization or extraction.",
+      "AU-ISM-1546": "Patch-application control does not single out MLOps client SDKs.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an MLOps / experiment-tracking platform's uploaded artifacts and datasets as an untrusted code/file-delivery surface."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 42,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 22,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 42, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no fixed SDK version published so no patch credit (Hard Rule #3); the UI:R requirement (victim must retrieve the malicious artifact) keeps blast moderate. poc_available=20 + blast_radius=22.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-24590",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "ClearML artifacts whose stored payload is a serialized object rather than the expected data type (a deserialization-gadget payload).",
+        "The ClearML client SDK spawning shell, network, or file-system child processes immediately after an artifact is retrieved or previewed.",
+        "Uploads to shared ClearML projects from accounts/users that should not be contributing artifacts.",
+        "ClearML (pip) 0.17.0-1.14.2 retrieving artifacts/datasets from projects that accept untrusted uploads - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the HiddenLayer disclosure (https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/), the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-cpcw-9h9m-wqw9), and NVD CVE-2024-24590 (CWE-502)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-24590",
+      "https://github.com/advisories/GHSA-cpcw-9h9m-wqw9",
+      "https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-24590",
+        "url": "https://github.com/advisories/GHSA-cpcw-9h9m-wqw9",
+        "severity": "high",
+        "published_date": "2024-06-27"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-24590",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24590",
+        "severity": "high",
+        "published_date": "2024-06-27"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the HiddenLayer disclosure (https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/) + the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-cpcw-9h9m-wqw9, CWE-502) + NVD (CVSS v3.1 8.8) / HiddenLayer (CNA 8.0). MLOps / experiment-tracking platform flaw (ClearML); introduces the MLOps-artifact trust-boundary control NEW-CTRL-104.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "ClearML client SDK reconstructs stored artifacts through unsafe Python object-deserialization on retrieval, so a malicious artifact runs code on the retrieving user (CWE-502); no fixed SDK version is listed in the advisory - treat retrieved artifacts as untrusted."
+  },
+  "CVE-2024-24591": {
+    "name": "ClearML Client SDK Dataset Path Traversal Arbitrary File Write",
+    "type": "Arbitrary File Write",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 8.8 (HIGH); HiddenLayer (CNA) rates it 8.0 (HIGH, PR:L). The ClearML client SDK does not constrain dataset entry paths, so a maliciously uploaded dataset writes files to an arbitrary local or remote location on the retrieving user's system (CWE-22 path traversal).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "HiddenLayer published the analysis and attack chain (a malicious dataset writes to arbitrary paths on retrieval).",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by HiddenLayer (https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/). The abused surface is a widely used MLOps / experiment-tracking platform (ClearML) - the AI supply-chain layer between data scientists.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is in how an MLOps platform handles uploaded experiment artifacts.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure with a documented attack chain; no confirmed in-the-wild exploitation reported as of curation. No fixed SDK version is published in the advisory, so users on the affected range remain exposed when retrieving untrusted artifacts.",
+    "affected": "ClearML client SDK 1.4.0 through 1.14.1.",
+    "affected_versions": [
+      "ClearML (pip) >= 1.4.0, <= 1.14.1"
+    ],
+    "vector": "When the ClearML client SDK retrieves a dataset, it writes the dataset's entries to disk without constraining their paths. A maliciously uploaded dataset whose entries use absolute or ../ traversal paths therefore writes files to arbitrary locations on the retrieving user's system (CWE-22) - which, by overwriting startup or configuration files, can escalate to code execution. Disclosed by HiddenLayer.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:R - network-delivered via an uploaded artifact, but requires the victim to retrieve/interact with it (UI:R). HiddenLayer's CNA vector marks PR:L (an account that can upload to the shared project).",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No fixed SDK version is listed in the advisory as of curation; mitigation is retrieving artifacts/datasets only from trusted projects and treating retrieved content as untrusted (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed ClearML SDK version is listed in the GitHub advisory or NVD as of curation. Only retrieve datasets from trusted ClearML projects, run the SDK as a least-privilege user, and treat dataset extraction paths as untrusted (reject absolute / ../ traversal entries) until the deployed SDK version is confirmed to contain extraction."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "Input validation is not applied to an uploaded experiment artifact/dataset before the MLOps SDK extracts it.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: the SDK writes dataset entries without path containment on retrieval.",
+      "NIST-800-53-SR-3": "Supply-chain controls do not treat MLOps experiment artifacts/datasets as untrusted third-party content delivered between collaborators.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address uncontained extraction of dataset entries in an MLOps SDK.",
+      "NIS2-Art21-supply-chain": "Supply-chain-security measures do not reach the MLOps platform as a channel that delivers executable artifacts between data scientists.",
+      "DORA-Art-9": "ICT protection measures do not model MLOps-artifact retrieval as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating MLOps artifacts/datasets before deserialization or extraction.",
+      "AU-ISM-1546": "Patch-application control does not single out MLOps client SDKs.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an MLOps / experiment-tracking platform's uploaded artifacts and datasets as an untrusted code/file-delivery surface."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1083",
+      "T1565.001"
+    ],
+    "rwep_score": 38,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 18,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 38, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no fixed SDK version published so no patch credit (Hard Rule #3); the UI:R requirement (victim must retrieve the malicious artifact) keeps blast moderate. poc_available=20 + blast_radius=18.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-24591",
+    "cwe_refs": [
+      "CWE-22"
+    ],
+    "iocs": {
+      "behavioral": [
+        "ClearML datasets whose entries contain absolute paths or ../ traversal sequences.",
+        "Files written by the ClearML client SDK outside the intended dataset cache/extraction directory during a dataset get.",
+        "Unexpected modification of startup, configuration, or credential files following a ClearML dataset retrieval.",
+        "ClearML (pip) 1.4.0-1.14.1 retrieving artifacts/datasets from projects that accept untrusted uploads - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the HiddenLayer disclosure (https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/), the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-m95h-p4gg-wfw3), and NVD CVE-2024-24591 (CWE-22)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-24591",
+      "https://github.com/advisories/GHSA-m95h-p4gg-wfw3",
+      "https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-24591",
+        "url": "https://github.com/advisories/GHSA-m95h-p4gg-wfw3",
+        "severity": "high",
+        "published_date": "2024-06-27"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-24591",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24591",
+        "severity": "high",
+        "published_date": "2024-06-27"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the HiddenLayer disclosure (https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/) + the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-m95h-p4gg-wfw3, CWE-22) + NVD (CVSS v3.1 8.8) / HiddenLayer (CNA 8.0). MLOps / experiment-tracking platform flaw (ClearML); introduces the MLOps-artifact trust-boundary control NEW-CTRL-104.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "ClearML client SDK writes dataset entries without path containment, so a malicious dataset writes files to arbitrary paths on the retrieving user (CWE-22 path traversal); no fixed SDK version is listed in the advisory - retrieve datasets only from trusted projects."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -101,6 +101,7 @@
       "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-1708",
+      "CVE-2024-24591",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-57728",
@@ -391,6 +392,7 @@
       "CVE-2025-11837",
       "CVE-2025-1550",
       "CVE-2025-32432",
+      "CVE-2025-3248",
       "CVE-2025-33236",
       "CVE-2025-37164",
       "CVE-2025-43200",
@@ -750,6 +752,7 @@
     "evidence_cves": [
       "CVE-2020-24363",
       "CVE-2025-32433",
+      "CVE-2025-3248",
       "CVE-2025-4008",
       "CVE-2025-49596",
       "CVE-2025-61757",
@@ -1333,6 +1336,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-24590",
       "CVE-2024-50050",
       "CVE-2024-8069",
       "CVE-2025-10035",