@blamejs/exceptd-skills 0.13.106 → 0.13.108

package/data/framework-control-gaps.json

@@ -35,6 +35,7 @@
     "opened_date": "2026-01-01",
     "evidence_cves": [
       "CVE-2022-1471",
+      "CVE-2022-36551",
       "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2023-51449",
@@ -57,6 +58,8 @@
       "CVE-2024-27132",
       "CVE-2024-2912",
       "CVE-2024-37032",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
@@ -68,6 +71,7 @@
       "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-23266",
+      "CVE-2025-25297",
       "CVE-2025-27520",
       "CVE-2025-30165",
       "CVE-2025-30202",
@@ -1236,9 +1240,11 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
+      "CVE-2022-36551",
       "CVE-2024-0132",
       "CVE-2024-21626",
-      "CVE-2025-23266"
+      "CVE-2025-23266",
+      "CVE-2025-25297"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -1276,6 +1282,8 @@
       "CVE-2024-24590",
       "CVE-2024-24591",
       "CVE-2024-2912",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2024-5565",
       "CVE-2025-0133",
       "CVE-2025-1094",
@@ -2257,6 +2265,7 @@
     "status": "open",
     "opened_date": "2026-05-01",
     "evidence_cves": [
+      "CVE-2022-36551",
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2023-6038",
@@ -2268,6 +2277,7 @@
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2025-23266",
+      "CVE-2025-25297",
       "CVE-2025-30202",
       "CVE-2025-32444",
       "CVE-2025-53767",
@@ -2339,6 +2349,7 @@
     "status": "open",
     "opened_date": "2026-05-13",
     "evidence_cves": [
+      "CVE-2022-36551",
       "CVE-2023-44467",
       "CVE-2024-0129",
       "CVE-2024-11392",
@@ -2352,6 +2363,8 @@
       "CVE-2024-27132",
       "CVE-2024-2912",
       "CVE-2024-37032",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2024-39722",
       "CVE-2024-50050",
       "CVE-2024-5565",
@@ -2360,6 +2373,7 @@
       "CVE-2025-1550",
       "CVE-2025-1753",
       "CVE-2025-23254",
+      "CVE-2025-25297",
       "CVE-2025-27520",
       "CVE-2025-30165",
       "CVE-2025-32434",
@@ -2534,6 +2548,8 @@
       "CVE-2024-27199",
       "CVE-2024-27443",
       "CVE-2024-37032",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2024-37079",
       "CVE-2024-39722",
       "CVE-2024-42009",
@@ -2857,6 +2873,8 @@
       "CVE-2024-24590",
       "CVE-2024-24591",
       "CVE-2024-3094",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "MAL-2026-SHAI-HULUD-OSS"
     ],
     "atlas_refs": [
@@ -5042,6 +5060,7 @@
     "opened_date": "2026-05-15",
     "evidence_cves": [
       "CVE-2022-1471",
+      "CVE-2022-36551",
       "CVE-2023-43654",
       "CVE-2023-44467",
       "CVE-2023-48022",
@@ -5067,6 +5086,8 @@
       "CVE-2024-27132",
       "CVE-2024-2912",
       "CVE-2024-37032",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
@@ -5078,6 +5099,7 @@
       "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-23266",
+      "CVE-2025-25297",
       "CVE-2025-27520",
       "CVE-2025-30165",
       "CVE-2025-30202",
@@ -5155,8 +5177,10 @@
     "status": "open",
     "opened_date": "2026-05-15",
     "evidence_cves": [
+      "CVE-2022-36551",
       "CVE-2023-6038",
       "CVE-2024-1709",
+      "CVE-2025-25297",
       "CVE-2025-3248",
       "CVE-2026-33017",
       "CVE-2026-39987",
@@ -5613,6 +5637,7 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
+      "CVE-2022-36551",
       "CVE-2023-44467",
       "CVE-2023-51449",
       "CVE-2023-6016",
@@ -5634,6 +5659,8 @@
       "CVE-2024-27132",
       "CVE-2024-2912",
       "CVE-2024-37032",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
@@ -5643,6 +5670,7 @@
       "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-23266",
+      "CVE-2025-25297",
       "CVE-2025-27520",
       "CVE-2025-30165",
       "CVE-2025-30202",
@@ -5711,6 +5739,7 @@
     "opened_date": "2026-05-17",
     "evidence_cves": [
       "CVE-2022-1471",
+      "CVE-2022-36551",
       "CVE-2023-43654",
       "CVE-2023-44467",
       "CVE-2023-48022",
@@ -5736,6 +5765,8 @@
       "CVE-2024-27132",
       "CVE-2024-2912",
       "CVE-2024-37032",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
@@ -5747,6 +5778,7 @@
       "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-23266",
+      "CVE-2025-25297",
       "CVE-2025-27520",
       "CVE-2025-30165",
       "CVE-2025-30202",
@@ -5855,6 +5887,8 @@
       "CVE-2024-24590",
       "CVE-2024-24591",
       "CVE-2024-3154",
+      "CVE-2024-37052",
+      "CVE-2024-37060",
       "MAL-2026-NODE-IPC-STEALER",
       "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER",
       "MAL-2026-SHAI-HULUD-OSS",
@@ -6190,7 +6224,9 @@
     "status": "open",
     "opened_date": "2026-05-18",
     "evidence_cves": [
+      "CVE-2022-36551",
       "CVE-2024-21762",
+      "CVE-2025-25297",
       "CVE-2026-20182"
     ],
     "atlas_refs": [],

package/data/zeroday-lessons.json

@@ -4511,6 +4511,206 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2024-37052": {
+    "name": "MLflow scikit-learn Model Deserialization Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "A maliciously crafted scikit-learn model stored in MLflow (1.1.0-2.14.1) runs arbitrary code when a user loads or interacts with it, because the model object is reconstructed through unsafe deserialization.",
+      "privileges_required": "low-to-none (upload to a registry the victim uses; victim must load/run the artifact - UI:R)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is MLflow, an MLOps / model-registry platform. The lesson: an MLflow model artifact or Recipe is executable code - loading an untrusted one is code execution, so there is no patch, only provenance verification and sandboxed loading. One of the Protect AI / HiddenLayer model-flavor deserialization findings."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Flaw remediation cannot patch this - loading an untrusted model is inherently code execution; the control is artifact provenance + sandboxing."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation distinguishes a benign model artifact from a deserialization payload before MLflow loads it."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an MLflow model artifact / Recipe as untrusted executable code requiring provenance verification and sandboxed loading."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "MLflow model registries are shared across teams on trusted-collaborator assumptions; model artifacts are loaded without provenance verification or sandboxing, and no patch exists because the format is inherently executable.",
+      "theater_pattern": "untrusted_model_artifact_as_code"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load .keras / pickle-based models from untrusted sources, verify provenance, prefer safe formats (e.g. safetensors), and load untrusted models only in a sandboxed, network-isolated, least-privilege environment. Upgrade Keras to the fixed release (>= 3.8.0 for CVE-2025-1550; past 3.10.0 for the CVE-2025-8747 safe_mode bypass) and do not rely on safe_mode alone — it was bypassable. The distinguishing test: load an attacker-crafted .keras archive with safe_mode enabled on a sandboxed instance and confirm no code executes.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2025-1550",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-25297": {
+    "name": "Label Studio S3 Storage Endpoint Server-Side Request Forgery",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Label Studio's S3 cloud-storage integration accepts a custom endpoint URL without validation, so an attacker points it at internal services or cloud metadata and the server issues the request, leaking data via the responses.",
+      "privileges_required": "low (an account; self-registration is on by default in the data-import case)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is Label Studio, a data-labeling / annotation platform central to ML data pipelines. The lesson: an ML data platform's server-side fetches (import URLs, storage endpoints) are an egress that must validate and allowlist destinations, or they become an SSRF pivot into internal networks and cloud metadata."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Boundary protection does not treat the ML data platform's server-side fetch as an egress that can reach internal services."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation is applied to the user-supplied URL/endpoint before the server fetches it."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML data-pipeline platform's import/storage URL fetch as an egress that must validate and allowlist destinations."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "ML data-labeling platforms are deployed inside trusted networks and import from arbitrary URLs/storage endpoints by design; their server-side fetches are not destination-validated.",
+      "theater_pattern": "ai_data_pipeline_ssrf_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-105",
+        "name": "AI-DATA-PIPELINE-IMPORT-SSRF-PROTECTION",
+        "description": "An AI data-pipeline platform that fetches from caller-supplied URLs or endpoints (data import, cloud-storage endpoint configuration, webhook/annotation sources) must validate and allowlist the destination before issuing the request: reject private, link-local, and cloud-metadata addresses (169.254.169.254), reject file:// and non-HTTP schemes, and resolve+pin the host to prevent DNS-rebinding. Restrict who can configure server-side fetches and disable self-registration if not required. The distinguishing test: configure the import/storage URL to an internal or cloud-metadata address on a staging instance and confirm the server refuses the fetch - a platform that issues the request and returns the response is exploitable for SSRF / internal pivot, regardless of authentication posture.",
+        "evidence": "https://github.com/advisories/GHSA-m238-fmcw-wh58",
+        "gap_closes": [
+          "NIST-800-53-SC-7",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2022-36551": {
+    "name": "Label Studio Data Import Server-Side Request Forgery",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Label Studio's Data Import module fetches a user-supplied URL with no destination restriction; with self-registration on by default, any remote attacker supplies internal or file:// URLs and the server reads arbitrary files / reaches internal services.",
+      "privileges_required": "low (an account; self-registration is on by default in the data-import case)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is Label Studio, a data-labeling / annotation platform central to ML data pipelines. The lesson: an ML data platform's server-side fetches (import URLs, storage endpoints) are an egress that must validate and allowlist destinations, or they become an SSRF pivot into internal networks and cloud metadata."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Boundary protection does not treat the ML data platform's server-side fetch as an egress that can reach internal services."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation is applied to the user-supplied URL/endpoint before the server fetches it."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML data-pipeline platform's import/storage URL fetch as an egress that must validate and allowlist destinations."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 78,
+      "basis": "ML data-labeling platforms are deployed inside trusted networks and import from arbitrary URLs/storage endpoints by design; their server-side fetches are not destination-validated.",
+      "theater_pattern": "ai_data_pipeline_ssrf_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-105",
+        "name": "AI-DATA-PIPELINE-IMPORT-SSRF-PROTECTION",
+        "description": "An AI data-pipeline platform that fetches from caller-supplied URLs or endpoints (data import, cloud-storage endpoint configuration, webhook/annotation sources) must validate and allowlist the destination before issuing the request: reject private, link-local, and cloud-metadata addresses (169.254.169.254), reject file:// and non-HTTP schemes, and resolve+pin the host to prevent DNS-rebinding. Restrict who can configure server-side fetches and disable self-registration if not required. The distinguishing test: configure the import/storage URL to an internal or cloud-metadata address on a staging instance and confirm the server refuses the fetch - a platform that issues the request and returns the response is exploitable for SSRF / internal pivot, regardless of authentication posture.",
+        "evidence": "https://github.com/advisories/GHSA-pc6f-259w-w3j6",
+        "gap_closes": [
+          "NIST-800-53-SC-7",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-37060": {
+    "name": "MLflow Recipe Deserialization Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "A maliciously crafted MLflow Recipe (1.27.0-2.14.1) runs arbitrary code when executed, because it is reconstructed through unsafe deserialization.",
+      "privileges_required": "low-to-none (upload to a registry the victim uses; victim must load/run the artifact - UI:R)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is MLflow, an MLOps / model-registry platform. The lesson: an MLflow model artifact or Recipe is executable code - loading an untrusted one is code execution, so there is no patch, only provenance verification and sandboxed loading. One of the Protect AI / HiddenLayer model-flavor deserialization findings."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Flaw remediation cannot patch this - loading an untrusted model is inherently code execution; the control is artifact provenance + sandboxing."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation distinguishes a benign model artifact from a deserialization payload before MLflow loads it."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an MLflow model artifact / Recipe as untrusted executable code requiring provenance verification and sandboxed loading."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "MLflow model registries are shared across teams on trusted-collaborator assumptions; model artifacts are loaded without provenance verification or sandboxing, and no patch exists because the format is inherently executable.",
+      "theater_pattern": "untrusted_model_artifact_as_code"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load .keras / pickle-based models from untrusted sources, verify provenance, prefer safe formats (e.g. safetensors), and load untrusted models only in a sandboxed, network-isolated, least-privilege environment. Upgrade Keras to the fixed release (>= 3.8.0 for CVE-2025-1550; past 3.10.0 for the CVE-2025-8747 safe_mode bypass) and do not rely on safe_mode alone — it was bypassable. The distinguishing test: load an attacker-crafted .keras archive with safe_mode enabled on a sandboxed instance and confirm no code executes.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2025-1550",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2025-27520": {
     "name": "BentoML serde.py Insecure Deserialization Unauthenticated Remote Code Execution",
     "lesson_date": "2026-05-25",