@blamejs/exceptd-skills 0.13.105 → 0.13.106

package/data/atlas-ttps.json

@@ -1744,12 +1744,14 @@
       "CVE-2024-21576",
       "CVE-2024-24591",
       "CVE-2024-27132",
+      "CVE-2024-2912",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2024-4889",
       "CVE-2024-6587",
+      "CVE-2025-27520",
       "CVE-2025-30202",
       "CVE-2025-32444",
       "CVE-2025-3248",

package/data/attack-techniques.json

@@ -288,6 +288,7 @@
       "CVE-2024-21575",
       "CVE-2024-21576",
       "CVE-2024-24590",
+      "CVE-2024-2912",
       "CVE-2024-37032",
       "CVE-2024-42479",
       "CVE-2024-4889",
@@ -298,6 +299,7 @@
       "CVE-2025-1550",
       "CVE-2025-1753",
       "CVE-2025-23254",
+      "CVE-2025-27520",
       "CVE-2025-30165",
       "CVE-2025-32434",
       "CVE-2025-32444",
@@ -887,6 +889,7 @@
       "CVE-2024-21575",
       "CVE-2024-21576",
       "CVE-2024-21762",
+      "CVE-2024-2912",
       "CVE-2024-37032",
       "CVE-2024-37079",
       "CVE-2024-39722",
@@ -923,6 +926,7 @@
       "CVE-2025-24893",
       "CVE-2025-25257",
       "CVE-2025-26399",
+      "CVE-2025-27520",
       "CVE-2025-2775",
       "CVE-2025-2776",
       "CVE-2025-29635",

package/data/cve-catalog.json

@@ -16464,6 +16464,214 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "H2O-3's REST API import path performs no authorization, letting an unauthenticated attacker read arbitrary host files (CWE-862 LFI); no fixed version published - H2O-3 is designed for a trusted environment, so isolate it."
   },
+  "CVE-2024-2912": {
+    "name": "BentoML Insecure Deserialization Unauthenticated Remote Code Execution",
+    "type": "RCE",
+    "cvss_score": 10,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+    "cvss_note": "huntr.dev (CNA) CVSS v3.1 base 10.0 (CRITICAL, scope-changed); NVD has not published its own assessed score. BentoML deserializes an attacker-supplied serialized object delivered to a valid serving endpoint without validation, so an unauthenticated attacker runs arbitrary code on the model server (insecure deserialization, CWE-1188 insecure-default initialization of the deserialization path).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://huntr.com/bounties/349a1cce-6bb5-4345-82a5-bf7041b65a68): an unauthenticated request carrying a malicious serialized object to a BentoML serving endpoint runs code on the server.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via huntr.dev / Protect AI (https://github.com/advisories/GHSA-hvj5-mvw9-93j3). The abused surface is BentoML, a widely used model-serving / inference framework.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is unsafe deserialization in a model-serving framework's request path.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix and a documented attack; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "BentoML before 1.2.5.",
+    "affected_versions": [
+      "BentoML < 1.2.5"
+    ],
+    "vector": "BentoML is a framework for packaging and serving ML models behind an HTTP API. Before 1.2.5 it deserializes an attacker-supplied serialized object delivered to a valid serving endpoint without validating it, so an unauthenticated attacker who can reach the serving API runs arbitrary code on the model server. Disclosed via huntr.dev / Protect AI. Fixed in 1.2.5.",
+    "complexity": "low",
+    "complexity_notes": "huntr.dev AV:N / AC:L / PR:N / UI:N - network-reachable, unauthenticated; a single crafted request to the serving endpoint suffices.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 1.2.5 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade BentoML to 1.2.5 or later. Do not expose the BentoML serving API to untrusted networks, and never deserialize untrusted request data in the serving path (validate/whitelist payload types, use a safe serialization format)."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "Input validation is not applied to a serialized object before the model-serving framework deserializes it from a request.",
+      "NIST-800-53-SI-3": "Malicious-code protection does not treat the model-serving framework's deserialization path as an attacker-reachable execution channel.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: the serving endpoint accepts and reconstructs arbitrary serialized objects.",
+      "NIST-800-53-IA-2": "The model-serving API does not authenticate callers before reaching a deserialization sink.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address unsafe deserialization of request data in a model-serving framework.",
+      "NIS2-Art21-vulnerability-management": "Vulnerability-management measures do not enumerate model-serving frameworks' deserialization paths as unauthenticated RCE surfaces.",
+      "DORA-Art-9": "ICT protection measures do not model model-serving deserialization RCE as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for safe deserialization in model-serving frameworks.",
+      "AU-ISM-1546": "Patch-application control does not single out model-serving frameworks.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats a model-serving framework's request-deserialization path as a privileged execution surface that must never reconstruct untrusted serialized objects."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 33,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate (RWEP 33, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3): poc_available=20 + blast_radius=28, minus patch_available 15. This is the first of two BentoML unauthenticated insecure-deserialization RCEs (CVE-2025-27520 fixed in 1.4.3) - the same class recurred, so the control is to never deserialize untrusted request data in the serving path.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-2912",
+    "cwe_refs": [
+      "CWE-1188"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Unauthenticated requests to a BentoML serving endpoint carrying a serialized-object payload (a deserialization-gadget body) rather than expected inference input.",
+        "The BentoML server process spawning shell, network, or file-system child processes from the request-deserialization path.",
+        "BentoML < 1.2.5 serving API reachable on an untrusted network - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the disclosing advisory (https://github.com/advisories/GHSA-hvj5-mvw9-93j3) / huntr.dev bounty (https://huntr.com/bounties/349a1cce-6bb5-4345-82a5-bf7041b65a68) and NVD CVE-2024-2912 (CWE-1188)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-2912",
+      "https://github.com/advisories/GHSA-hvj5-mvw9-93j3"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-2912",
+        "url": "https://github.com/advisories/GHSA-hvj5-mvw9-93j3",
+        "severity": "critical",
+        "published_date": "2024-04-16"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-2912",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2912",
+        "severity": "critical",
+        "published_date": "2024-04-16"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the huntr.dev bounty (https://huntr.com/bounties/349a1cce-6bb5-4345-82a5-bf7041b65a68) + the GitHub Security Advisory (https://github.com/advisories/GHSA-hvj5-mvw9-93j3, CWE-1188) + huntr.dev (CNA, CVSS v3.1 10.0); NVD has not published its own score. Model-serving framework flaw (BentoML); reuses the inference/serving deserialization-safety control NEW-CTRL-086 (shared with the ShadowMQ / vLLM inference-deserialization entries).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "BentoML deserializes an attacker-supplied serialized object on a valid serving endpoint without validation, giving unauthenticated RCE (CWE-1188); fixed in 1.2.5."
+  },
+  "CVE-2025-27520": {
+    "name": "BentoML serde.py Insecure Deserialization Unauthenticated Remote Code Execution",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "GitHub (CNA) CVSS v3.1 base 9.8 (CRITICAL); NVD has not published its own assessed score. The deserialization routine in BentoML's serde.py reconstructs an attacker-supplied serialized object from a request without validation, so any unauthenticated user runs arbitrary code on the server (CWE-502 deserialization of untrusted data).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-33xw-247w-6hmc): an unauthenticated request carrying a malicious serialized object to a BentoML serving endpoint runs code on the server.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the GitHub Security Advisory (https://github.com/advisories/GHSA-33xw-247w-6hmc). The abused surface is BentoML, a widely used model-serving / inference framework.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is unsafe deserialization in a model-serving framework's request path.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix and a documented attack; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "BentoML 1.3.4 through 1.4.2.",
+    "affected_versions": [
+      "BentoML >= 1.3.4, <= 1.4.2"
+    ],
+    "vector": "BentoML is a framework for packaging and serving ML models behind an HTTP API. In 1.3.4 through 1.4.2 the deserialization routine in serde.py reconstructs an attacker-supplied serialized object from a request without validation, so an unauthenticated attacker who can reach the serving API runs arbitrary code on the model server. This is the same insecure-deserialization class that CVE-2024-2912 fixed in 1.2.5, recurring on the serde.py path. Fixed in 1.4.3.",
+    "complexity": "low",
+    "complexity_notes": "GitHub CNA AV:N / AC:L / PR:N / UI:N - network-reachable, unauthenticated; a single crafted request to the serving endpoint suffices.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 1.4.3 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade BentoML to 1.4.3 or later. Do not expose the BentoML serving API to untrusted networks, and never deserialize untrusted request data in the serving path (validate/whitelist payload types, use a safe serialization format)."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "Input validation is not applied to a serialized object before the model-serving framework deserializes it from a request.",
+      "NIST-800-53-SI-3": "Malicious-code protection does not treat the model-serving framework's deserialization path as an attacker-reachable execution channel.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: the serving endpoint accepts and reconstructs arbitrary serialized objects.",
+      "NIST-800-53-IA-2": "The model-serving API does not authenticate callers before reaching a deserialization sink.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address unsafe deserialization of request data in a model-serving framework.",
+      "NIS2-Art21-vulnerability-management": "Vulnerability-management measures do not enumerate model-serving frameworks' deserialization paths as unauthenticated RCE surfaces.",
+      "DORA-Art-9": "ICT protection measures do not model model-serving deserialization RCE as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for safe deserialization in model-serving frameworks.",
+      "AU-ISM-1546": "Patch-application control does not single out model-serving frameworks.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats a model-serving framework's request-deserialization path as a privileged execution surface that must never reconstruct untrusted serialized objects."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 33,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate (RWEP 33, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3): poc_available=20 + blast_radius=28, minus patch_available 15. This is the second of two BentoML unauthenticated insecure-deserialization RCEs (CVE-2024-2912 fixed in 1.2.5) - the same class recurred, so the control is to never deserialize untrusted request data in the serving path.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-27520",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Unauthenticated requests to a BentoML serving endpoint carrying a serialized-object payload (a deserialization-gadget body) rather than expected inference input.",
+        "The BentoML server process spawning shell, network, or file-system child processes from the request-deserialization path.",
+        "BentoML 1.3.4-1.4.2 serving API reachable on an untrusted network - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the disclosing advisory (https://github.com/advisories/GHSA-33xw-247w-6hmc) and NVD CVE-2025-27520 (CWE-502)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-27520",
+      "https://github.com/advisories/GHSA-33xw-247w-6hmc"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-27520",
+        "url": "https://github.com/advisories/GHSA-33xw-247w-6hmc",
+        "severity": "critical",
+        "published_date": "2025-04-04"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-27520",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27520",
+        "severity": "critical",
+        "published_date": "2025-04-04"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory (https://github.com/advisories/GHSA-33xw-247w-6hmc, CWE-502) + GitHub (CNA, CVSS v3.1 9.8); NVD has not published its own score. Model-serving framework flaw (BentoML); reuses the inference/serving deserialization-safety control NEW-CTRL-086 (shared with the ShadowMQ / vLLM inference-deserialization entries).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "BentoML's serde.py deserializes attacker-supplied serialized objects from requests without validation, giving unauthenticated RCE (CWE-502); fixed in 1.4.3 - the deserialization-RCE class recurred after the 1.2.5 fix."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -1344,6 +1344,7 @@
       "CVE-2025-23254",
       "CVE-2025-24016",
       "CVE-2025-26399",
+      "CVE-2025-27520",
       "CVE-2025-30165",
       "CVE-2025-32434",
       "CVE-2025-32444",
@@ -1951,6 +1952,7 @@
       "webapp-security"
     ],
     "evidence_cves": [
+      "CVE-2024-2912",
       "CVE-2025-48927"
     ],
     "framework_controls_partially_addressing": [

package/data/framework-control-gaps.json

@@ -55,6 +55,7 @@
       "CVE-2024-24590",
       "CVE-2024-24591",
       "CVE-2024-27132",
+      "CVE-2024-2912",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-42478",
@@ -67,6 +68,7 @@
       "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-23266",
+      "CVE-2025-27520",
       "CVE-2025-30165",
       "CVE-2025-30202",
       "CVE-2025-32434",
@@ -1273,9 +1275,11 @@
       "CVE-2024-12366",
       "CVE-2024-24590",
       "CVE-2024-24591",
+      "CVE-2024-2912",
       "CVE-2024-5565",
       "CVE-2025-0133",
       "CVE-2025-1094",
+      "CVE-2025-27520",
       "CVE-2025-3248",
       "CVE-2025-6965",
       "CVE-2026-30623",
@@ -2108,8 +2112,10 @@
       "CVE-2024-12366",
       "CVE-2024-24590",
       "CVE-2024-24591",
+      "CVE-2024-2912",
       "CVE-2024-3154",
       "CVE-2024-5565",
+      "CVE-2025-27520",
       "CVE-2025-3248",
       "CVE-2025-49844",
       "CVE-2025-53773",
@@ -2344,6 +2350,7 @@
       "CVE-2024-24590",
       "CVE-2024-24591",
       "CVE-2024-27132",
+      "CVE-2024-2912",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-50050",
@@ -2353,6 +2360,7 @@
       "CVE-2025-1550",
       "CVE-2025-1753",
       "CVE-2025-23254",
+      "CVE-2025-27520",
       "CVE-2025-30165",
       "CVE-2025-32434",
       "CVE-2025-33236",
@@ -2805,8 +2813,10 @@
       "BUG-2026-NIGHTMARE-ECLIPSE-UNDEFEND",
       "CVE-2023-6016",
       "CVE-2024-12366",
+      "CVE-2024-2912",
       "CVE-2024-5565",
       "CVE-2025-11837",
+      "CVE-2025-27520",
       "CVE-2025-3248",
       "CVE-2026-22778",
       "CVE-2026-32202",
@@ -4993,7 +5003,9 @@
     "evidence_cves": [
       "CVE-2023-3519",
       "CVE-2024-12366",
+      "CVE-2024-2912",
       "CVE-2024-5565",
+      "CVE-2025-27520",
       "CVE-2026-0300",
       "CVE-2026-42945"
     ],
@@ -5053,6 +5065,7 @@
       "CVE-2024-24590",
       "CVE-2024-24591",
       "CVE-2024-27132",
+      "CVE-2024-2912",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-42478",
@@ -5065,6 +5078,7 @@
       "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-23266",
+      "CVE-2025-27520",
       "CVE-2025-30165",
       "CVE-2025-30202",
       "CVE-2025-32434",
@@ -5618,6 +5632,7 @@
       "CVE-2024-24590",
       "CVE-2024-24591",
       "CVE-2024-27132",
+      "CVE-2024-2912",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-42478",
@@ -5628,6 +5643,7 @@
       "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-23266",
+      "CVE-2025-27520",
       "CVE-2025-30165",
       "CVE-2025-30202",
       "CVE-2025-32434",
@@ -5718,6 +5734,7 @@
       "CVE-2024-24590",
       "CVE-2024-24591",
       "CVE-2024-27132",
+      "CVE-2024-2912",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-42478",
@@ -5730,6 +5747,7 @@
       "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-23266",
+      "CVE-2025-27520",
       "CVE-2025-30165",
       "CVE-2025-30202",
       "CVE-2025-32434",
@@ -6052,8 +6070,10 @@
       "CVE-2023-6021",
       "CVE-2023-6038",
       "CVE-2024-1709",
+      "CVE-2024-2912",
       "CVE-2024-4889",
       "CVE-2024-6587",
+      "CVE-2025-27520",
       "CVE-2025-3248",
       "CVE-2025-64513",
       "CVE-2025-67818",

package/data/zeroday-lessons.json

@@ -4461,6 +4461,106 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2024-2912": {
+    "name": "BentoML Insecure Deserialization Unauthenticated Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "BentoML before 1.2.5 deserializes an attacker-supplied serialized object delivered to a valid serving endpoint without validation, so an unauthenticated attacker runs arbitrary code on the model server.",
+      "privileges_required": "none (unauthenticated)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is BentoML, a model-serving / inference framework. The lesson: a model server must never reconstruct an untrusted serialized object from a request - the same inference-path deserialization class as the ShadowMQ / vLLM entries, here on the HTTP serving API, and it recurred in BentoML after the first fix."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Flaw remediation closed one deserialization path (1.2.5) but the class recurred (serde.py, fixed 1.4.3) - the fix did not generalize to all request-deserialization sinks."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation distinguishes a safe payload from a deserialization-gadget object at the model-serving endpoint."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats a model-serving framework's request-deserialization path as a privileged execution surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 84,
+      "basis": "Model-serving frameworks are deployed for inference throughput on trusted-network assumptions; their request-deserialization paths are not treated as untrusted-input boundaries.",
+      "theater_pattern": "model_serving_deserialization_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-086",
+        "name": "AI-INFERENCE-IPC-DESERIALIZATION-SAFETY",
+        "description": "AI inference engines must use a safe serializer (e.g. JSON) for IPC/socket communication, never deserialize untrusted serialized objects, authenticate socket peers, and isolate the channel on a trusted network segment. Because the insecure primitive spread by code reuse, the control must be applied across every inference engine in the estate, not one at a time. Apply the project fix (NVIDIA TensorRT-LLM), and for vLLM keep the legacy V0 engine disabled. The distinguishing test: send a crafted serialized object to the inference engine's socket from an unauthorized peer on a staging instance and confirm it is rejected, not deserialized.",
+        "evidence": "https://nvidia.custhelp.com/app/answers/detail/a_id/5648",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-27520": {
+    "name": "BentoML serde.py Insecure Deserialization Unauthenticated Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "BentoML 1.3.4 through 1.4.2 reconstructs an attacker-supplied serialized object in serde.py from a request without validation, giving any unauthenticated user remote code execution - the same insecure-deserialization class that 1.2.5 fixed, recurring on the serde.py path.",
+      "privileges_required": "none (unauthenticated)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is BentoML, a model-serving / inference framework. The lesson: a model server must never reconstruct an untrusted serialized object from a request - the same inference-path deserialization class as the ShadowMQ / vLLM entries, here on the HTTP serving API, and it recurred in BentoML after the first fix."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Flaw remediation closed one deserialization path (1.2.5) but the class recurred (serde.py, fixed 1.4.3) - the fix did not generalize to all request-deserialization sinks."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation distinguishes a safe payload from a deserialization-gadget object at the model-serving endpoint."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats a model-serving framework's request-deserialization path as a privileged execution surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 84,
+      "basis": "Model-serving frameworks are deployed for inference throughput on trusted-network assumptions; their request-deserialization paths are not treated as untrusted-input boundaries.",
+      "theater_pattern": "model_serving_deserialization_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-086",
+        "name": "AI-INFERENCE-IPC-DESERIALIZATION-SAFETY",
+        "description": "AI inference engines must use a safe serializer (e.g. JSON) for IPC/socket communication, never deserialize untrusted serialized objects, authenticate socket peers, and isolate the channel on a trusted network segment. Because the insecure primitive spread by code reuse, the control must be applied across every inference engine in the estate, not one at a time. Apply the project fix (NVIDIA TensorRT-LLM), and for vLLM keep the legacy V0 engine disabled. The distinguishing test: send a crafted serialized object to the inference engine's socket from an unauthorized peer on a staging instance and confirm it is rejected, not deserialized.",
+        "evidence": "https://nvidia.custhelp.com/app/answers/detail/a_id/5648",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2023-6038": {
     "name": "H2O-3 REST API Unauthenticated Local File Inclusion (Arbitrary File Read)",
     "lesson_date": "2026-05-25",