@blamejs/exceptd-skills 0.13.105 → 0.13.107

package/data/framework-control-gaps.json

@@ -55,7 +55,10 @@
       "CVE-2024-24590",
       "CVE-2024-24591",
       "CVE-2024-27132",
+      "CVE-2024-2912",
       "CVE-2024-37032",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
@@ -67,6 +70,7 @@
       "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-23266",
+      "CVE-2025-27520",
       "CVE-2025-30165",
       "CVE-2025-30202",
       "CVE-2025-32434",
@@ -1273,9 +1277,13 @@
       "CVE-2024-12366",
       "CVE-2024-24590",
       "CVE-2024-24591",
+      "CVE-2024-2912",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2024-5565",
       "CVE-2025-0133",
       "CVE-2025-1094",
+      "CVE-2025-27520",
       "CVE-2025-3248",
       "CVE-2025-6965",
       "CVE-2026-30623",
@@ -2108,8 +2116,10 @@
       "CVE-2024-12366",
       "CVE-2024-24590",
       "CVE-2024-24591",
+      "CVE-2024-2912",
       "CVE-2024-3154",
       "CVE-2024-5565",
+      "CVE-2025-27520",
       "CVE-2025-3248",
       "CVE-2025-49844",
       "CVE-2025-53773",
@@ -2344,7 +2354,10 @@
       "CVE-2024-24590",
       "CVE-2024-24591",
       "CVE-2024-27132",
+      "CVE-2024-2912",
       "CVE-2024-37032",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2024-39722",
       "CVE-2024-50050",
       "CVE-2024-5565",
@@ -2353,6 +2366,7 @@
       "CVE-2025-1550",
       "CVE-2025-1753",
       "CVE-2025-23254",
+      "CVE-2025-27520",
       "CVE-2025-30165",
       "CVE-2025-32434",
       "CVE-2025-33236",
@@ -2526,6 +2540,8 @@
       "CVE-2024-27199",
       "CVE-2024-27443",
       "CVE-2024-37032",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2024-37079",
       "CVE-2024-39722",
       "CVE-2024-42009",
@@ -2805,8 +2821,10 @@
       "BUG-2026-NIGHTMARE-ECLIPSE-UNDEFEND",
       "CVE-2023-6016",
       "CVE-2024-12366",
+      "CVE-2024-2912",
       "CVE-2024-5565",
       "CVE-2025-11837",
+      "CVE-2025-27520",
       "CVE-2025-3248",
       "CVE-2026-22778",
       "CVE-2026-32202",
@@ -2847,6 +2865,8 @@
       "CVE-2024-24590",
       "CVE-2024-24591",
       "CVE-2024-3094",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "MAL-2026-SHAI-HULUD-OSS"
     ],
     "atlas_refs": [
@@ -4993,7 +5013,9 @@
     "evidence_cves": [
       "CVE-2023-3519",
       "CVE-2024-12366",
+      "CVE-2024-2912",
       "CVE-2024-5565",
+      "CVE-2025-27520",
       "CVE-2026-0300",
       "CVE-2026-42945"
     ],
@@ -5053,7 +5075,10 @@
       "CVE-2024-24590",
       "CVE-2024-24591",
       "CVE-2024-27132",
+      "CVE-2024-2912",
       "CVE-2024-37032",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
@@ -5065,6 +5090,7 @@
       "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-23266",
+      "CVE-2025-27520",
       "CVE-2025-30165",
       "CVE-2025-30202",
       "CVE-2025-32434",
@@ -5618,7 +5644,10 @@
       "CVE-2024-24590",
       "CVE-2024-24591",
       "CVE-2024-27132",
+      "CVE-2024-2912",
       "CVE-2024-37032",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
@@ -5628,6 +5657,7 @@
       "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-23266",
+      "CVE-2025-27520",
       "CVE-2025-30165",
       "CVE-2025-30202",
       "CVE-2025-32434",
@@ -5718,7 +5748,10 @@
       "CVE-2024-24590",
       "CVE-2024-24591",
       "CVE-2024-27132",
+      "CVE-2024-2912",
       "CVE-2024-37032",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
@@ -5730,6 +5763,7 @@
       "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-23266",
+      "CVE-2025-27520",
       "CVE-2025-30165",
       "CVE-2025-30202",
       "CVE-2025-32434",
@@ -5837,6 +5871,8 @@
       "CVE-2024-24590",
       "CVE-2024-24591",
       "CVE-2024-3154",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "MAL-2026-NODE-IPC-STEALER",
       "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER",
       "MAL-2026-SHAI-HULUD-OSS",
@@ -6052,8 +6088,10 @@
       "CVE-2023-6021",
       "CVE-2023-6038",
       "CVE-2024-1709",
+      "CVE-2024-2912",
       "CVE-2024-4889",
       "CVE-2024-6587",
+      "CVE-2025-27520",
       "CVE-2025-3248",
       "CVE-2025-64513",
       "CVE-2025-67818",

package/data/zeroday-lessons.json

@@ -4461,6 +4461,206 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2024-2912": {
+    "name": "BentoML Insecure Deserialization Unauthenticated Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "BentoML before 1.2.5 deserializes an attacker-supplied serialized object delivered to a valid serving endpoint without validation, so an unauthenticated attacker runs arbitrary code on the model server.",
+      "privileges_required": "none (unauthenticated)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is BentoML, a model-serving / inference framework. The lesson: a model server must never reconstruct an untrusted serialized object from a request - the same inference-path deserialization class as the ShadowMQ / vLLM entries, here on the HTTP serving API, and it recurred in BentoML after the first fix."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Flaw remediation closed one deserialization path (1.2.5) but the class recurred (serde.py, fixed 1.4.3) - the fix did not generalize to all request-deserialization sinks."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation distinguishes a safe payload from a deserialization-gadget object at the model-serving endpoint."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats a model-serving framework's request-deserialization path as a privileged execution surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 84,
+      "basis": "Model-serving frameworks are deployed for inference throughput on trusted-network assumptions; their request-deserialization paths are not treated as untrusted-input boundaries.",
+      "theater_pattern": "model_serving_deserialization_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-086",
+        "name": "AI-INFERENCE-IPC-DESERIALIZATION-SAFETY",
+        "description": "AI inference engines must use a safe serializer (e.g. JSON) for IPC/socket communication, never deserialize untrusted serialized objects, authenticate socket peers, and isolate the channel on a trusted network segment. Because the insecure primitive spread by code reuse, the control must be applied across every inference engine in the estate, not one at a time. Apply the project fix (NVIDIA TensorRT-LLM), and for vLLM keep the legacy V0 engine disabled. The distinguishing test: send a crafted serialized object to the inference engine's socket from an unauthorized peer on a staging instance and confirm it is rejected, not deserialized.",
+        "evidence": "https://nvidia.custhelp.com/app/answers/detail/a_id/5648",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-37052": {
+    "name": "MLflow scikit-learn Model Deserialization Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "A maliciously crafted scikit-learn model stored in MLflow (1.1.0-2.14.1) runs arbitrary code when a user loads or interacts with it, because the model object is reconstructed through unsafe deserialization.",
+      "privileges_required": "low-to-none (upload to a registry the victim uses; victim must load/run the artifact - UI:R)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is MLflow, an MLOps / model-registry platform. The lesson: an MLflow model artifact or Recipe is executable code - loading an untrusted one is code execution, so there is no patch, only provenance verification and sandboxed loading. One of the Protect AI / HiddenLayer model-flavor deserialization findings."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Flaw remediation cannot patch this - loading an untrusted model is inherently code execution; the control is artifact provenance + sandboxing."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation distinguishes a benign model artifact from a deserialization payload before MLflow loads it."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an MLflow model artifact / Recipe as untrusted executable code requiring provenance verification and sandboxed loading."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "MLflow model registries are shared across teams on trusted-collaborator assumptions; model artifacts are loaded without provenance verification or sandboxing, and no patch exists because the format is inherently executable.",
+      "theater_pattern": "untrusted_model_artifact_as_code"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load .keras / pickle-based models from untrusted sources, verify provenance, prefer safe formats (e.g. safetensors), and load untrusted models only in a sandboxed, network-isolated, least-privilege environment. Upgrade Keras to the fixed release (>= 3.8.0 for CVE-2025-1550; past 3.10.0 for the CVE-2025-8747 safe_mode bypass) and do not rely on safe_mode alone — it was bypassable. The distinguishing test: load an attacker-crafted .keras archive with safe_mode enabled on a sandboxed instance and confirm no code executes.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2025-1550",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-37060": {
+    "name": "MLflow Recipe Deserialization Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "A maliciously crafted MLflow Recipe (1.27.0-2.14.1) runs arbitrary code when executed, because it is reconstructed through unsafe deserialization.",
+      "privileges_required": "low-to-none (upload to a registry the victim uses; victim must load/run the artifact - UI:R)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is MLflow, an MLOps / model-registry platform. The lesson: an MLflow model artifact or Recipe is executable code - loading an untrusted one is code execution, so there is no patch, only provenance verification and sandboxed loading. One of the Protect AI / HiddenLayer model-flavor deserialization findings."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Flaw remediation cannot patch this - loading an untrusted model is inherently code execution; the control is artifact provenance + sandboxing."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation distinguishes a benign model artifact from a deserialization payload before MLflow loads it."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an MLflow model artifact / Recipe as untrusted executable code requiring provenance verification and sandboxed loading."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "MLflow model registries are shared across teams on trusted-collaborator assumptions; model artifacts are loaded without provenance verification or sandboxing, and no patch exists because the format is inherently executable.",
+      "theater_pattern": "untrusted_model_artifact_as_code"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load .keras / pickle-based models from untrusted sources, verify provenance, prefer safe formats (e.g. safetensors), and load untrusted models only in a sandboxed, network-isolated, least-privilege environment. Upgrade Keras to the fixed release (>= 3.8.0 for CVE-2025-1550; past 3.10.0 for the CVE-2025-8747 safe_mode bypass) and do not rely on safe_mode alone — it was bypassable. The distinguishing test: load an attacker-crafted .keras archive with safe_mode enabled on a sandboxed instance and confirm no code executes.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2025-1550",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-27520": {
+    "name": "BentoML serde.py Insecure Deserialization Unauthenticated Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "BentoML 1.3.4 through 1.4.2 reconstructs an attacker-supplied serialized object in serde.py from a request without validation, giving any unauthenticated user remote code execution - the same insecure-deserialization class that 1.2.5 fixed, recurring on the serde.py path.",
+      "privileges_required": "none (unauthenticated)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is BentoML, a model-serving / inference framework. The lesson: a model server must never reconstruct an untrusted serialized object from a request - the same inference-path deserialization class as the ShadowMQ / vLLM entries, here on the HTTP serving API, and it recurred in BentoML after the first fix."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Flaw remediation closed one deserialization path (1.2.5) but the class recurred (serde.py, fixed 1.4.3) - the fix did not generalize to all request-deserialization sinks."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation distinguishes a safe payload from a deserialization-gadget object at the model-serving endpoint."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats a model-serving framework's request-deserialization path as a privileged execution surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 84,
+      "basis": "Model-serving frameworks are deployed for inference throughput on trusted-network assumptions; their request-deserialization paths are not treated as untrusted-input boundaries.",
+      "theater_pattern": "model_serving_deserialization_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-086",
+        "name": "AI-INFERENCE-IPC-DESERIALIZATION-SAFETY",
+        "description": "AI inference engines must use a safe serializer (e.g. JSON) for IPC/socket communication, never deserialize untrusted serialized objects, authenticate socket peers, and isolate the channel on a trusted network segment. Because the insecure primitive spread by code reuse, the control must be applied across every inference engine in the estate, not one at a time. Apply the project fix (NVIDIA TensorRT-LLM), and for vLLM keep the legacy V0 engine disabled. The distinguishing test: send a crafted serialized object to the inference engine's socket from an unauthorized peer on a staging instance and confirm it is rejected, not deserialized.",
+        "evidence": "https://nvidia.custhelp.com/app/answers/detail/a_id/5648",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2023-6038": {
     "name": "H2O-3 REST API Unauthenticated Local File Inclusion (Arbitrary File Read)",
     "lesson_date": "2026-05-25",