@blamejs/exceptd-skills 0.13.106 → 0.13.108

package/data/atlas-ttps.json

@@ -152,6 +152,8 @@
       "CVE-2024-24590",
       "CVE-2024-24591",
       "CVE-2024-37032",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2025-1550",
       "CVE-2025-32434",
       "CVE-2025-33236",
@@ -1288,6 +1290,8 @@
       "CVE-2024-11394",
       "CVE-2024-21513",
       "CVE-2024-24590",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2025-1550",
       "CVE-2025-32434",
       "CVE-2025-33236",
@@ -1732,6 +1736,7 @@
     "stix_id": "attack-pattern--ebeed0c7-c5de-5049-8f27-efcae5f88b00",
     "is_subtechnique": false,
     "cve_refs": [
+      "CVE-2022-36551",
       "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2023-51449",
@@ -1751,6 +1756,7 @@
       "CVE-2024-42479",
       "CVE-2024-4889",
       "CVE-2024-6587",
+      "CVE-2025-25297",
       "CVE-2025-27520",
       "CVE-2025-30202",
       "CVE-2025-32444",
@@ -2859,6 +2865,8 @@
       "CVE-2024-11393",
       "CVE-2024-11394",
       "CVE-2024-24590",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2025-1550",
       "CVE-2025-32434",
       "CVE-2025-33236",

package/data/attack-techniques.json

@@ -290,6 +290,8 @@
       "CVE-2024-24590",
       "CVE-2024-2912",
       "CVE-2024-37032",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2024-42479",
       "CVE-2024-4889",
       "CVE-2024-50050",
@@ -865,6 +867,7 @@
       "CVE-2021-22681",
       "CVE-2021-26828",
       "CVE-2022-1471",
+      "CVE-2022-36551",
       "CVE-2022-37055",
       "CVE-2022-40799",
       "CVE-2022-48503",
@@ -925,6 +928,7 @@
       "CVE-2025-24016",
       "CVE-2025-24893",
       "CVE-2025-25257",
+      "CVE-2025-25297",
       "CVE-2025-26399",
       "CVE-2025-27520",
       "CVE-2025-2775",
@@ -1149,6 +1153,8 @@
       "CVE-2024-11394",
       "CVE-2024-24590",
       "CVE-2024-3094",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2025-1550",
       "CVE-2025-32434",
       "CVE-2025-33236",
@@ -3643,7 +3649,11 @@
       "Windows"
     ],
     "stix_id": "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2022-36551",
+      "CVE-2025-25297"
+    ]
   },
   "T1091": {
     "id": "T1091",
@@ -4339,6 +4349,8 @@
       "CVE-2024-11394",
       "CVE-2024-24590",
       "CVE-2024-24591",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2025-1550",
       "CVE-2025-32434",
       "CVE-2025-33236",

package/data/cve-catalog.json

@@ -55,7 +55,7 @@
     "ai_discovery_methodology": {
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
-      "current_rate": 0.031,
+      "current_rate": 0.030,
       "current_floor_enforced_by_test": 0.03,
       "ladder_to_target": [
         0.03,
@@ -16672,6 +16672,424 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "BentoML's serde.py deserializes attacker-supplied serialized objects from requests without validation, giving unauthenticated RCE (CWE-502); fixed in 1.4.3 - the deserialization-RCE class recurred after the 1.2.5 fix."
   },
+  "CVE-2024-37052": {
+    "name": "MLflow scikit-learn Model Deserialization Remote Code Execution",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "HiddenLayer (CNA) CVSS v3.1 base 8.8 (HIGH); NVD has not published its own assessed score. A maliciously crafted scikit-learn model stored in MLflow runs arbitrary code when a user loads/interacts with it, because the model object is reconstructed through unsafe deserialization (CWE-502).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "HiddenLayer published the analysis: a scikit-learn model stored in MLflow runs code when a user loads/runs it.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by HiddenLayer (https://github.com/advisories/GHSA-76cg-cfhx-373f). The abused surface is MLflow, a widely used MLOps / model-registry platform - one of the Protect AI / HiddenLayer model-flavor deserialization findings.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is that an MLflow scikit-learn model is executable code reconstructed through unsafe deserialization when loaded.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure with a documented attack chain; no confirmed in-the-wild exploitation reported as of curation. No patched MLflow version is published (loading an untrusted model is inherently unsafe), so exposure persists when untrusted models/recipes are loaded.",
+    "affected": "MLflow 1.1.0 through 2.14.1.",
+    "affected_versions": [
+      "MLflow >= 1.1.0, <= 2.14.1"
+    ],
+    "vector": "MLflow stores and loads ML models and Recipes by flavor. A scikit-learn model is reconstructed through an unsafe deserialization path, so loading or running it executes embedded attacker code on the user's system (CWE-502). The model artifact IS executable code. Disclosed by HiddenLayer as part of the MLflow model-flavor deserialization set.",
+    "complexity": "low",
+    "complexity_notes": "HiddenLayer (CNA) AV:N / AC:L / PR:N / UI:R - network-delivered via an uploaded model/recipe, but requires the victim to load/run it (UI:R).",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No patched MLflow version is published (the GitHub advisory records 'Patched versions: None'); loading an untrusted model artifact is inherently code execution. Mitigation is provenance verification + sandboxing (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed MLflow version is published. Only load models and Recipes from trusted sources, verify artifact provenance, run model loading in a sandboxed/least-privilege environment, and prefer safe serialization formats; treat every MLflow model artifact as executable code."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw remediation cannot resolve this by patching - loading an untrusted model is inherently code execution; the control must be artifact provenance + sandboxing.",
+      "NIST-800-53-SI-10": "No input validation distinguishes a benign model artifact from one carrying a deserialization payload before MLflow loads it.",
+      "NIST-800-53-SR-3": "Supply-chain controls do not treat MLflow model artifacts / Recipes as untrusted third-party executable content.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address loading an untrusted model artifact as host code.",
+      "NIS2-Art21-supply-chain": "Supply-chain-security measures do not reach the MLflow model registry as a channel that delivers executable model artifacts.",
+      "DORA-Art-9": "ICT protection measures do not model untrusted model-artifact loading as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for verifying model-artifact provenance before loading.",
+      "AU-ISM-1546": "Patch-application control does not address a flaw with no patch - the model format is inherently executable.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an MLflow model artifact / Recipe as untrusted executable code requiring provenance verification and sandboxed loading."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 42,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 22,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 42, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no patched version exists so no patch credit (Hard Rule #3) - this is a model-artifact-as-code flaw that no patch can close, only provenance + sandboxing. The UI:R requirement (victim must load the model) keeps blast moderate. poc_available=20 + blast_radius=22.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-37052",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "MLflow scikit-learn model artifacts whose stored payload contains a deserialization gadget rather than a plain model.",
+        "The MLflow process or client spawning shell, network, or file-system child processes when a model/recipe is loaded or run.",
+        "MLflow 1.1.0-2.14.1 loading scikit-learn models from an untrusted registry/run - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the HiddenLayer disclosure / GitHub advisory (https://github.com/advisories/GHSA-76cg-cfhx-373f) and NVD CVE-2024-37052 (CWE-502)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-37052",
+      "https://github.com/advisories/GHSA-76cg-cfhx-373f"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-37052",
+        "url": "https://github.com/advisories/GHSA-76cg-cfhx-373f",
+        "severity": "high",
+        "published_date": "2024-06-04"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-37052",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37052",
+        "severity": "high",
+        "published_date": "2024-06-04"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the HiddenLayer / GitHub Security Advisory (https://github.com/advisories/GHSA-76cg-cfhx-373f, CWE-502) + HiddenLayer (CNA, CVSS v3.1 8.8); NVD has not published its own score. MLflow model-flavor deserialization (Protect AI / HiddenLayer set); reuses the untrusted-model-artifact-loading control NEW-CTRL-091 - a model artifact is executable code, the class shared with Keras / Hugging Face / NeMo / PyTorch / H2O.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "A malicious scikit-learn model in MLflow runs code when loaded (CWE-502 unsafe deserialization); no patched version - treat MLflow models as untrusted code."
+  },
+  "CVE-2024-37060": {
+    "name": "MLflow Recipe Deserialization Remote Code Execution",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "HiddenLayer (CNA) CVSS v3.1 base 8.8 (HIGH); NVD has not published its own assessed score. A maliciously crafted MLflow Recipe runs arbitrary code when executed, because it is reconstructed through unsafe deserialization (CWE-502).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "HiddenLayer published the analysis: a malicious MLflow Recipe stored in MLflow runs code when a user loads/runs it.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by HiddenLayer (https://github.com/advisories/GHSA-cv6c-7963-wxcg). The abused surface is MLflow, a widely used MLOps / model-registry platform - one of the Protect AI / HiddenLayer model-flavor deserialization findings.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is that an MLflow Recipe is executable code reconstructed through unsafe deserialization when loaded.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure with a documented attack chain; no confirmed in-the-wild exploitation reported as of curation. No patched MLflow version is published (loading an untrusted model is inherently unsafe), so exposure persists when untrusted models/recipes are loaded.",
+    "affected": "MLflow 1.27.0 through 2.14.1.",
+    "affected_versions": [
+      "MLflow >= 1.27.0, <= 2.14.1"
+    ],
+    "vector": "MLflow stores and loads ML models and Recipes by flavor. A malicious MLflow Recipe is reconstructed through an unsafe deserialization path, so loading or running it executes embedded attacker code on the user's system (CWE-502). The model artifact IS executable code. Disclosed by HiddenLayer as part of the MLflow model-flavor deserialization set.",
+    "complexity": "low",
+    "complexity_notes": "HiddenLayer (CNA) AV:N / AC:L / PR:N / UI:R - network-delivered via an uploaded model/recipe, but requires the victim to load/run it (UI:R).",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No patched MLflow version is published (the GitHub advisory records 'Patched versions: None'); loading an untrusted model artifact is inherently code execution. Mitigation is provenance verification + sandboxing (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed MLflow version is published. Only load models and Recipes from trusted sources, verify artifact provenance, run model loading in a sandboxed/least-privilege environment, and prefer safe serialization formats; treat every MLflow model artifact as executable code."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw remediation cannot resolve this by patching - loading an untrusted model is inherently code execution; the control must be artifact provenance + sandboxing.",
+      "NIST-800-53-SI-10": "No input validation distinguishes a benign model artifact from one carrying a deserialization payload before MLflow loads it.",
+      "NIST-800-53-SR-3": "Supply-chain controls do not treat MLflow model artifacts / Recipes as untrusted third-party executable content.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address loading an untrusted model artifact as host code.",
+      "NIS2-Art21-supply-chain": "Supply-chain-security measures do not reach the MLflow model registry as a channel that delivers executable model artifacts.",
+      "DORA-Art-9": "ICT protection measures do not model untrusted model-artifact loading as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for verifying model-artifact provenance before loading.",
+      "AU-ISM-1546": "Patch-application control does not address a flaw with no patch - the model format is inherently executable.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an MLflow model artifact / Recipe as untrusted executable code requiring provenance verification and sandboxed loading."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 42,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 22,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 42, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no patched version exists so no patch credit (Hard Rule #3) - this is a model-artifact-as-code flaw that no patch can close, only provenance + sandboxing. The UI:R requirement (victim must load the model) keeps blast moderate. poc_available=20 + blast_radius=22.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-37060",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "MLflow Recipe artifacts whose stored payload contains a deserialization gadget rather than a plain model.",
+        "The MLflow process or client spawning shell, network, or file-system child processes when a model/recipe is loaded or run.",
+        "MLflow 1.27.0-2.14.1 running Recipes from an untrusted source - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the HiddenLayer disclosure / GitHub advisory (https://github.com/advisories/GHSA-cv6c-7963-wxcg) and NVD CVE-2024-37060 (CWE-502)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-37060",
+      "https://github.com/advisories/GHSA-cv6c-7963-wxcg"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-37060",
+        "url": "https://github.com/advisories/GHSA-cv6c-7963-wxcg",
+        "severity": "high",
+        "published_date": "2024-06-04"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-37060",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37060",
+        "severity": "high",
+        "published_date": "2024-06-04"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the HiddenLayer / GitHub Security Advisory (https://github.com/advisories/GHSA-cv6c-7963-wxcg, CWE-502) + HiddenLayer (CNA, CVSS v3.1 8.8); NVD has not published its own score. MLflow model-flavor deserialization (Protect AI / HiddenLayer set); reuses the untrusted-model-artifact-loading control NEW-CTRL-091 - a model artifact is executable code, the class shared with Keras / Hugging Face / NeMo / PyTorch / H2O.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "A malicious MLflow Recipe runs code when executed (CWE-502 unsafe deserialization); no patched version - treat MLflow artifacts as untrusted code."
+  },
+  "CVE-2025-25297": {
+    "name": "Label Studio S3 Storage Endpoint Server-Side Request Forgery",
+    "type": "SSRF",
+    "cvss_score": 7.7,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 7.7 (HIGH, PR:L); the GitHub (CNA) advisory rates it 8.6 (HIGH, PR:N - it treats the action as unauthenticated). Label Studio's S3 storage feature does not validate the custom endpoint URL, so an attacker points it at internal services or cloud metadata and the server issues the request, leaking data via the responses (CWE-918 SSRF).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-m238-fmcw-wh58): point the S3 storage endpoint at an internal address / cloud-metadata endpoint and the Label Studio server issues the request.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the GitHub Security Advisory (https://github.com/advisories/GHSA-m238-fmcw-wh58). The abused surface is Label Studio, a widely used data-labeling / annotation platform in ML pipelines.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is an unvalidated server-side fetch in an ML data-pipeline platform's S3 storage endpoint.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Label Studio before 1.16.0.",
+    "affected_versions": [
+      "Label Studio < 1.16.0"
+    ],
+    "vector": "Label Studio's S3 cloud-storage integration accepts a custom S3 endpoint URL without validation. An attacker sets the endpoint to an internal address or cloud-metadata service; the Label Studio server makes the request and returns data from the responses - a server-side request forgery that bypasses network segmentation (CWE-918).",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:L - network-reachable; requires an account, but lower-privilege users can configure the storage endpoint.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 1.16.0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Label Studio to 1.16.0 or later. Validate and allowlist destinations for the S3 storage endpoint (block private/link-local/cloud-metadata addresses and file:// schemes), and disable self-registration if not required."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SC-7": "Boundary protection does not treat the ML data platform's server-side fetch (S3 storage endpoint) as an egress that can reach internal services.",
+      "NIST-800-53-SI-10": "Input validation is not applied to the user-supplied URL/endpoint before the server fetches it.",
+      "NIST-800-53-AC-3": "Access enforcement does not constrain who can configure a server-side fetch, and lower-privilege users can set the storage endpoint.",
+      "ISO-27001-2022-A.8.22": "Network segregation is bypassed: the platform fetches attacker-chosen internal URLs server-side.",
+      "NIS2-Art21-network-security": "Network-security measures do not enumerate ML data-platform SSRF as an internal-pivot surface.",
+      "DORA-Art-9": "ICT protection measures do not model server-side request forgery from an ML data platform as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating server-side fetch destinations in ML data platforms.",
+      "AU-ISM-1546": "Patch-application control does not single out ML data-labeling platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML data-pipeline platform's import/storage URL fetch as an egress that must validate and allowlist destinations."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1090"
+    ],
+    "rwep_score": 23,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 18,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate (RWEP 23, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3): poc_available=20 + blast_radius=18 (SSRF - internal reach / data exfil, not direct RCE), minus patch_available 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-25297",
+    "cwe_refs": [
+      "CWE-918"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Label Studio S3 storage endpoint configured with an internal/private address, cloud-metadata endpoint (169.254.169.254), or file:// URL.",
+        "Outbound requests from the Label Studio server to internal services or metadata endpoints not part of normal operation.",
+        "Label Studio < 1.16.0 with S3 storage configurable by lower-privilege users - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory (https://github.com/advisories/GHSA-m238-fmcw-wh58) and NVD CVE-2025-25297 (CWE-918)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-25297",
+      "https://github.com/advisories/GHSA-m238-fmcw-wh58"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-25297",
+        "url": "https://github.com/advisories/GHSA-m238-fmcw-wh58",
+        "severity": "high",
+        "published_date": "2025-02-14"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-25297",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25297",
+        "severity": "high",
+        "published_date": "2025-02-14"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory (https://github.com/advisories/GHSA-m238-fmcw-wh58, CWE-918) + NVD (CVSS v3.1 7.7; GitHub CNA 8.6). Data-labeling / ML-pipeline platform flaw (Label Studio); introduces the AI data-pipeline import/storage SSRF control NEW-CTRL-105.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Label Studio's S3 storage feature does not validate the custom endpoint URL, letting an attacker reach internal services / cloud metadata via the server (CWE-918 SSRF); fixed in 1.16.0."
+  },
+  "CVE-2022-36551": {
+    "name": "Label Studio Data Import Server-Side Request Forgery",
+    "type": "SSRF",
+    "cvss_score": 6.5,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 6.5 (MEDIUM, PR:L). Label Studio's Data Import module fetches a user-supplied URL without restriction, so an authenticated user (self-registration is enabled by default, so effectively any remote attacker) reads arbitrary files / reaches internal services via the server (CWE-918 SSRF).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-pc6f-259w-w3j6): point the Data Import URL fetch at an internal address / cloud-metadata endpoint and the Label Studio server issues the request.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the GitHub Security Advisory (https://github.com/advisories/GHSA-pc6f-259w-w3j6). The abused surface is Label Studio, a widely used data-labeling / annotation platform in ML pipelines.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is an unvalidated server-side fetch in an ML data-pipeline platform's Data Import URL fetch.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Label Studio before 1.6.0.",
+    "affected_versions": [
+      "Label Studio < 1.6.0"
+    ],
+    "vector": "Label Studio's Data Import module fetches a user-supplied URL with no destination restriction, so a user (self-registration is on by default, so any remote attacker can obtain an account) supplies file:// or internal URLs and the server reads arbitrary files or reaches internal services - a server-side request forgery (CWE-918).",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:L - network-reachable; requires an account, but self-registration is on by default.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 1.6.0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Label Studio to 1.6.0 or later. Validate and allowlist destinations for the Data Import URL fetch (block private/link-local/cloud-metadata addresses and file:// schemes), and disable self-registration if not required."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SC-7": "Boundary protection does not treat the ML data platform's server-side fetch (Data Import URL fetch) as an egress that can reach internal services.",
+      "NIST-800-53-SI-10": "Input validation is not applied to the user-supplied URL/endpoint before the server fetches it.",
+      "NIST-800-53-AC-3": "Access enforcement does not constrain who can configure a server-side fetch, and self-registration lets any remote user reach it.",
+      "ISO-27001-2022-A.8.22": "Network segregation is bypassed: the platform fetches attacker-chosen internal URLs server-side.",
+      "NIS2-Art21-network-security": "Network-security measures do not enumerate ML data-platform SSRF as an internal-pivot surface.",
+      "DORA-Art-9": "ICT protection measures do not model server-side request forgery from an ML data platform as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating server-side fetch destinations in ML data platforms.",
+      "AU-ISM-1546": "Patch-application control does not single out ML data-labeling platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML data-pipeline platform's import/storage URL fetch as an egress that must validate and allowlist destinations."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1090"
+    ],
+    "rwep_score": 21,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 16,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate (RWEP 21, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3): poc_available=20 + blast_radius=16 (SSRF - internal reach / data exfil, not direct RCE), minus patch_available 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2022-36551",
+    "cwe_refs": [
+      "CWE-918"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Label Studio Data Import URL fetch configured with an internal/private address, cloud-metadata endpoint (169.254.169.254), or file:// URL.",
+        "Outbound requests from the Label Studio server to internal services or metadata endpoints not part of normal operation.",
+        "Label Studio < 1.6.0 with self-registration enabled (default) - any remote attacker can obtain an account and reach the import SSRF."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory (https://github.com/advisories/GHSA-pc6f-259w-w3j6) and NVD CVE-2022-36551 (CWE-918)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2022-36551",
+      "https://github.com/advisories/GHSA-pc6f-259w-w3j6"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2022-36551",
+        "url": "https://github.com/advisories/GHSA-pc6f-259w-w3j6",
+        "severity": "high",
+        "published_date": "2022-10-04"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2022-36551",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36551",
+        "severity": "medium",
+        "published_date": "2022-10-04"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory (https://github.com/advisories/GHSA-pc6f-259w-w3j6, CWE-918) + NVD (CVSS v3.1 6.5). Data-labeling / ML-pipeline platform flaw (Label Studio); introduces the AI data-pipeline import/storage SSRF control NEW-CTRL-105.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Label Studio's Data Import fetches user-supplied URLs without restriction (self-registration on by default), letting a remote attacker read files / reach internal services via the server (CWE-918 SSRF); fixed in 1.6.0."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -1338,6 +1338,8 @@
       "CVE-2024-11393",
       "CVE-2024-11394",
       "CVE-2024-24590",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2024-50050",
       "CVE-2024-8069",
       "CVE-2025-10035",
@@ -1866,10 +1868,12 @@
       "CVE-2021-22054",
       "CVE-2021-22175",
       "CVE-2021-39935",
+      "CVE-2022-36551",
       "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2024-6587",
+      "CVE-2025-25297",
       "CVE-2025-61884"
     ],
     "framework_controls_partially_addressing": [