@blamejs/exceptd-skills 0.13.102 → 0.13.104

package/data/framework-control-gaps.json

@@ -50,6 +50,8 @@
       "CVE-2024-1561",
       "CVE-2024-21575",
       "CVE-2024-21576",
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -67,6 +69,7 @@
       "CVE-2025-30202",
       "CVE-2025-32434",
       "CVE-2025-32444",
+      "CVE-2025-3248",
       "CVE-2025-33236",
       "CVE-2025-34291",
       "CVE-2025-49596",
@@ -90,6 +93,7 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-40933",
       "CVE-2026-45829"
@@ -1264,11 +1268,15 @@
     "evidence_cves": [
       "CVE-2023-43472",
       "CVE-2024-12366",
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-5565",
       "CVE-2025-0133",
       "CVE-2025-1094",
+      "CVE-2025-3248",
       "CVE-2025-6965",
-      "CVE-2026-30623"
+      "CVE-2026-30623",
+      "CVE-2026-33017"
     ],
     "atlas_refs": [
       "AML.T0051",
@@ -1637,7 +1645,6 @@
       "CVE-2026-31431",
       "CVE-2026-31635",
       "CVE-2026-32201",
-      "CVE-2026-33017",
       "CVE-2026-33634",
       "CVE-2026-34159",
       "CVE-2026-34197",
@@ -2095,11 +2102,15 @@
     "evidence_cves": [
       "BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA",
       "CVE-2024-12366",
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-3154",
       "CVE-2024-5565",
+      "CVE-2025-3248",
       "CVE-2025-49844",
       "CVE-2025-53773",
-      "CVE-2026-30615"
+      "CVE-2026-30615",
+      "CVE-2026-33017"
     ],
     "atlas_refs": [
       "AML.T0010"
@@ -2325,6 +2336,8 @@
       "CVE-2024-12366",
       "CVE-2024-13059",
       "CVE-2024-21513",
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -2730,7 +2743,6 @@
       "CVE-2026-31635",
       "CVE-2026-32201",
       "CVE-2026-32202",
-      "CVE-2026-33017",
       "CVE-2026-33634",
       "CVE-2026-33825",
       "CVE-2026-34159",
@@ -2789,8 +2801,10 @@
       "CVE-2024-12366",
       "CVE-2024-5565",
       "CVE-2025-11837",
+      "CVE-2025-3248",
       "CVE-2026-22778",
       "CVE-2026-32202",
+      "CVE-2026-33017",
       "CVE-2026-33825"
     ],
     "atlas_refs": [
@@ -2824,6 +2838,8 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-3094",
       "MAL-2026-SHAI-HULUD-OSS"
     ],
@@ -5026,6 +5042,8 @@
       "CVE-2024-21575",
       "CVE-2024-21576",
       "CVE-2024-21762",
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -5043,6 +5061,7 @@
       "CVE-2025-30202",
       "CVE-2025-32434",
       "CVE-2025-32444",
+      "CVE-2025-3248",
       "CVE-2025-33236",
       "CVE-2025-34291",
       "CVE-2025-49596",
@@ -5069,6 +5088,7 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-34926",
       "CVE-2026-40933",
@@ -5114,6 +5134,8 @@
     "opened_date": "2026-05-15",
     "evidence_cves": [
       "CVE-2024-1709",
+      "CVE-2025-3248",
+      "CVE-2026-33017",
       "CVE-2026-39987",
       "CVE-2026-7482"
     ],
@@ -5363,7 +5385,6 @@
       "CVE-2026-24858",
       "CVE-2026-25108",
       "CVE-2026-32201",
-      "CVE-2026-33017",
       "CVE-2026-33634",
       "CVE-2026-33825",
       "CVE-2026-34197",
@@ -5406,6 +5427,8 @@
     "status": "open",
     "opened_date": "2026-05-15",
     "evidence_cves": [
+      "CVE-2025-3248",
+      "CVE-2026-33017",
       "CVE-2026-6973"
     ],
     "atlas_refs": [],
@@ -5579,6 +5602,8 @@
       "CVE-2024-21575",
       "CVE-2024-21576",
       "CVE-2024-21762",
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -5594,6 +5619,7 @@
       "CVE-2025-30202",
       "CVE-2025-32434",
       "CVE-2025-32444",
+      "CVE-2025-3248",
       "CVE-2025-33236",
       "CVE-2025-34291",
       "CVE-2025-49596",
@@ -5614,6 +5640,7 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-34926",
       "CVE-2026-40933",
@@ -5673,6 +5700,8 @@
       "CVE-2024-21575",
       "CVE-2024-21576",
       "CVE-2024-21762",
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -5690,6 +5719,7 @@
       "CVE-2025-30202",
       "CVE-2025-32434",
       "CVE-2025-32444",
+      "CVE-2025-3248",
       "CVE-2025-33236",
       "CVE-2025-34291",
       "CVE-2025-49596",
@@ -5714,6 +5744,7 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-34926",
       "CVE-2026-40933",
@@ -5788,6 +5819,8 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-3154",
       "MAL-2026-NODE-IPC-STEALER",
       "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER",
@@ -5926,9 +5959,11 @@
     "evidence_cves": [
       "CVE-2020-10148",
       "CVE-2023-48022",
+      "CVE-2025-3248",
       "CVE-2025-55241",
       "CVE-2026-24206",
-      "CVE-2026-24207"
+      "CVE-2026-24207",
+      "CVE-2026-33017"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -6001,12 +6036,14 @@
       "CVE-2024-1709",
       "CVE-2024-4889",
       "CVE-2024-6587",
+      "CVE-2025-3248",
       "CVE-2025-64513",
       "CVE-2025-67818",
       "CVE-2026-20182",
       "CVE-2026-24206",
       "CVE-2026-24207",
       "CVE-2026-26190",
+      "CVE-2026-33017",
       "CVE-2026-45829"
     ],
     "atlas_refs": [],

package/data/zeroday-lessons.json

@@ -4311,6 +4311,206 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2025-3248": {
+    "name": "Langflow /api/v1/validate/code Unauthenticated Code Injection (CISA KEV)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Langflow before 1.3.0 runs attacker-supplied Python submitted to the unauthenticated /api/v1/validate/code endpoint, so a single crafted request gives remote code execution; CISA KEV-listed (actively exploited).",
+      "privileges_required": "none (unauthenticated, single request)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is a widely deployed visual LLM app/agent builder. The lesson: an LLM app builder's flow endpoints are code-execution surfaces, so every one must authenticate and sandbox - and the fix must cover the whole class of endpoints, not the single route that was reported (the Langflow pattern recurred on a new endpoint after the first KEV-listed fix)."
+    },
+    "framework_coverage": {
+      "NIST-800-53-AC-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Access enforcement is absent on a code-execution endpoint - the validate-code path is reachable without authentication."
+      },
+      "NIST-800-53-SI-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Malicious-code protection does not treat the LLM app builder's validate-code endpoint as an attacker-reachable execution channel."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats a visual LLM app builder's code endpoints as privileged execution surfaces that must authenticate and sandbox."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 88,
+      "basis": "LLM app builders are stood up for rapid prototyping on trusted-network assumptions and exposed without authentication; their flow endpoints are not treated as code-execution surfaces.",
+      "theater_pattern": "ai_app_builder_unauth_exec"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-103",
+        "name": "AI-APP-BUILDER-EXECUTION-ENDPOINT-AUTH-AND-SANDBOX",
+        "description": "A visual LLM app/agent builder (Langflow, Flowise, and similar) must authenticate every endpoint that can reach a code-execution path - validate-code, flow-build, flow-run, public-flow endpoints - and must never run flow-supplied or request-supplied code through a compile-and-run / dynamic-evaluation path with host privileges. Place the builder behind authenticated access control, never expose it to untrusted networks, and sandbox any code the platform executes on a user's behalf (no filesystem/network/process access beyond the flow's intent). The distinguishing test: send an unauthenticated request to each flow validate/build/run endpoint on a staging instance with a payload that attempts a non-flow action (a shell or network call) and confirm it is refused before any code runs - paper 'AI platform' policies that leave a public endpoint wired to a code-execution sink still permit unauthenticated RCE.",
+        "evidence": "https://www.vulncheck.com/blog/langflow-rce",
+        "gap_closes": [
+          "NIST-800-53-AC-3",
+          "NIST-800-53-SI-3",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-24590": {
+    "name": "ClearML Client SDK Artifact Deserialization Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "ClearML's client SDK reconstructs stored experiment artifacts through an unsafe object-deserialization routine on retrieval, so a maliciously uploaded artifact runs arbitrary code on the retrieving user's system.",
+      "privileges_required": "low-to-none (upload access to a shared project; victim must retrieve the artifact - UI:R)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is the MLOps / experiment-tracking layer that moves artifacts and datasets between data scientists. The lesson: an MLOps platform is a supply-chain channel - uploaded artifacts are untrusted code/file payloads and must never be auto-deserialized or extracted without containment."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation is applied to an uploaded artifact before the MLOps SDK deserializes it."
+      },
+      "NIST-800-53-SR-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Supply-chain controls do not treat MLOps experiment artifacts as untrusted third-party content moving between collaborators."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an MLOps platform's uploaded artifacts as an untrusted code-delivery surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "MLOps platforms are deployed for collaboration on trusted-team assumptions; their artifact/dataset retrieval paths are not treated as untrusted-content boundaries.",
+      "theater_pattern": "mlops_artifact_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-104",
+        "name": "MLOPS-EXPERIMENT-ARTIFACT-TRUST-BOUNDARY",
+        "description": "An MLOps / experiment-tracking platform (ClearML, and the class: Weights & Biases, MLflow artifact stores, model registries) must treat every uploaded artifact and dataset as untrusted third-party content, because these platforms move artifacts between collaborators automatically. On retrieval the client SDK must NOT reconstruct artifacts through an unsafe object-deserialization routine (use a safe loader / explicit schema, or sandbox the deserialization), and must constrain dataset extraction to a contained directory (reject absolute and ../ traversal entries). Run the SDK least-privilege and only pull from trusted projects. The distinguishing test: upload an artifact carrying a deserialization-gadget payload and a dataset with a ../ entry to a staging project, retrieve them from a separate client, and confirm neither runs code nor writes outside the cache directory - a 'secured MLOps' posture that still auto-deserializes or extracts uploaded content without containment is exposed.",
+        "evidence": "https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/",
+        "gap_closes": [
+          "NIST-800-53-SI-10",
+          "NIST-800-53-CM-7",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-24591": {
+    "name": "ClearML Client SDK Dataset Path Traversal Arbitrary File Write",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "ClearML's client SDK writes dataset entries without path containment on retrieval, so a maliciously uploaded dataset with absolute / ../ entries writes files to arbitrary locations on the retrieving user's system (escalating to code execution by overwriting startup/config files).",
+      "privileges_required": "low-to-none (upload access to a shared project; victim must retrieve the artifact - UI:R)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is the MLOps / experiment-tracking layer that moves artifacts and datasets between data scientists. The lesson: an MLOps platform is a supply-chain channel - uploaded artifacts are untrusted code/file payloads and must never be auto-deserialized or extracted without containment."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No path validation is applied to dataset entries before the MLOps SDK extracts them."
+      },
+      "NIST-800-53-CM-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Least-functionality is not enforced: dataset extraction writes entries without containing them to the cache directory."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an MLOps platform's uploaded datasets as an untrusted file-write surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 78,
+      "basis": "MLOps platforms are deployed for collaboration on trusted-team assumptions; their artifact/dataset retrieval paths are not treated as untrusted-content boundaries.",
+      "theater_pattern": "mlops_artifact_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-104",
+        "name": "MLOPS-EXPERIMENT-ARTIFACT-TRUST-BOUNDARY",
+        "description": "An MLOps / experiment-tracking platform (ClearML, and the class: Weights & Biases, MLflow artifact stores, model registries) must treat every uploaded artifact and dataset as untrusted third-party content, because these platforms move artifacts between collaborators automatically. On retrieval the client SDK must NOT reconstruct artifacts through an unsafe object-deserialization routine (use a safe loader / explicit schema, or sandbox the deserialization), and must constrain dataset extraction to a contained directory (reject absolute and ../ traversal entries). Run the SDK least-privilege and only pull from trusted projects. The distinguishing test: upload an artifact carrying a deserialization-gadget payload and a dataset with a ../ entry to a staging project, retrieve them from a separate client, and confirm neither runs code nor writes outside the cache directory - a 'secured MLOps' posture that still auto-deserializes or extracts uploaded content without containment is exposed.",
+        "evidence": "https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/",
+        "gap_closes": [
+          "NIST-800-53-SI-10",
+          "NIST-800-53-CM-7",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-33017": {
+    "name": "Langflow Public Flow-Build Endpoint Unauthenticated Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "After the CVE-2025-3248 fix, Langflow's public flow execution surface remained exploitable: the unauthenticated /api/v1/build_public_tmp/{flow_id}/flow endpoint runs flow-supplied Python through an unsandboxed dynamic-execution sink, giving remote code execution again; fixed in 1.9.0.",
+      "privileges_required": "none (unauthenticated public endpoint)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is a widely deployed visual LLM app/agent builder. The lesson: an LLM app builder's flow endpoints are code-execution surfaces, so every one must authenticate and sandbox - and the fix must cover the whole class of endpoints, not the single route that was reported (the Langflow pattern recurred on a new endpoint after the first KEV-listed fix)."
+    },
+    "framework_coverage": {
+      "NIST-800-53-AC-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "A second public flow endpoint reaches a code-execution sink without authentication - the access-control gap recurred on a new route after the first fix."
+      },
+      "NIST-800-53-CM-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Least-functionality is not enforced: a public endpoint runs flow-supplied code through a dynamic-execution sink without sandboxing."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires enumerating EVERY flow validate/build/run endpoint of an LLM app builder as an execution surface - so the same class recurred on a new endpoint."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 86,
+      "basis": "LLM app builders are stood up for rapid prototyping on trusted-network assumptions and exposed without authentication; their flow endpoints are not treated as code-execution surfaces.",
+      "theater_pattern": "ai_app_builder_unauth_exec"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-103",
+        "name": "AI-APP-BUILDER-EXECUTION-ENDPOINT-AUTH-AND-SANDBOX",
+        "description": "A visual LLM app/agent builder (Langflow, Flowise, and similar) must authenticate every endpoint that can reach a code-execution path - validate-code, flow-build, flow-run, public-flow endpoints - and must never run flow-supplied or request-supplied code through a compile-and-run / dynamic-evaluation path with host privileges. Place the builder behind authenticated access control, never expose it to untrusted networks, and sandbox any code the platform executes on a user's behalf (no filesystem/network/process access beyond the flow's intent). The distinguishing test: send an unauthenticated request to each flow validate/build/run endpoint on a staging instance with a payload that attempts a non-flow action (a shell or network call) and confirm it is refused before any code runs - paper 'AI platform' policies that leave a public endpoint wired to a code-execution sink still permit unauthenticated RCE.",
+        "evidence": "https://github.com/advisories/GHSA-vwmf-pq79-vjvx",
+        "gap_closes": [
+          "NIST-800-53-AC-3",
+          "NIST-800-53-SI-3",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2024-12366": {
     "name": "PandasAI Prompt Injection to Remote Code Execution",
     "lesson_date": "2026-05-25",
@@ -6601,38 +6801,6 @@
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import"
   },
-  "CVE-2026-33017": {
-    "name": "Langflow Code Injection Vulnerability",
-    "lesson_date": "2026-05-18",
-    "attack_vector": {
-      "description": "Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
-    },
-    "framework_coverage": {
-      "NIST-800-53-SI-2": {
-        "covered": true,
-        "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
-      },
-      "ISO-27001-2022-A.8.8": {
-        "covered": true,
-        "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
-      }
-    },
-    "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
-      "theater_pattern": "patch_management"
-    },
-    "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
-  },
   "CVE-2026-25592": {
     "name": "Microsoft Semantic Kernel SessionsPythonPlugin Path Traversal — Prompt-Injection to Host RCE",
     "lesson_date": "2026-05-25",