@blamejs/exceptd-skills 0.13.107 → 0.13.108

package/data/cve-catalog.json

@@ -55,7 +55,7 @@
     "ai_discovery_methodology": {
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
-      "current_rate": 0.031,
+      "current_rate": 0.030,
       "current_floor_enforced_by_test": 0.03,
       "ladder_to_target": [
         0.03,
@@ -16884,6 +16884,212 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "A malicious MLflow Recipe runs code when executed (CWE-502 unsafe deserialization); no patched version - treat MLflow artifacts as untrusted code."
   },
+  "CVE-2025-25297": {
+    "name": "Label Studio S3 Storage Endpoint Server-Side Request Forgery",
+    "type": "SSRF",
+    "cvss_score": 7.7,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 7.7 (HIGH, PR:L); the GitHub (CNA) advisory rates it 8.6 (HIGH, PR:N - it treats the action as unauthenticated). Label Studio's S3 storage feature does not validate the custom endpoint URL, so an attacker points it at internal services or cloud metadata and the server issues the request, leaking data via the responses (CWE-918 SSRF).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-m238-fmcw-wh58): point the S3 storage endpoint at an internal address / cloud-metadata endpoint and the Label Studio server issues the request.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the GitHub Security Advisory (https://github.com/advisories/GHSA-m238-fmcw-wh58). The abused surface is Label Studio, a widely used data-labeling / annotation platform in ML pipelines.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is an unvalidated server-side fetch in an ML data-pipeline platform's S3 storage endpoint.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Label Studio before 1.16.0.",
+    "affected_versions": [
+      "Label Studio < 1.16.0"
+    ],
+    "vector": "Label Studio's S3 cloud-storage integration accepts a custom S3 endpoint URL without validation. An attacker sets the endpoint to an internal address or cloud-metadata service; the Label Studio server makes the request and returns data from the responses - a server-side request forgery that bypasses network segmentation (CWE-918).",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:L - network-reachable; requires an account, but lower-privilege users can configure the storage endpoint.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 1.16.0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Label Studio to 1.16.0 or later. Validate and allowlist destinations for the S3 storage endpoint (block private/link-local/cloud-metadata addresses and file:// schemes), and disable self-registration if not required."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SC-7": "Boundary protection does not treat the ML data platform's server-side fetch (S3 storage endpoint) as an egress that can reach internal services.",
+      "NIST-800-53-SI-10": "Input validation is not applied to the user-supplied URL/endpoint before the server fetches it.",
+      "NIST-800-53-AC-3": "Access enforcement does not constrain who can configure a server-side fetch, and lower-privilege users can set the storage endpoint.",
+      "ISO-27001-2022-A.8.22": "Network segregation is bypassed: the platform fetches attacker-chosen internal URLs server-side.",
+      "NIS2-Art21-network-security": "Network-security measures do not enumerate ML data-platform SSRF as an internal-pivot surface.",
+      "DORA-Art-9": "ICT protection measures do not model server-side request forgery from an ML data platform as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating server-side fetch destinations in ML data platforms.",
+      "AU-ISM-1546": "Patch-application control does not single out ML data-labeling platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML data-pipeline platform's import/storage URL fetch as an egress that must validate and allowlist destinations."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1090"
+    ],
+    "rwep_score": 23,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 18,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate (RWEP 23, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3): poc_available=20 + blast_radius=18 (SSRF - internal reach / data exfil, not direct RCE), minus patch_available 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-25297",
+    "cwe_refs": [
+      "CWE-918"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Label Studio S3 storage endpoint configured with an internal/private address, cloud-metadata endpoint (169.254.169.254), or file:// URL.",
+        "Outbound requests from the Label Studio server to internal services or metadata endpoints not part of normal operation.",
+        "Label Studio < 1.16.0 with S3 storage configurable by lower-privilege users - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory (https://github.com/advisories/GHSA-m238-fmcw-wh58) and NVD CVE-2025-25297 (CWE-918)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-25297",
+      "https://github.com/advisories/GHSA-m238-fmcw-wh58"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-25297",
+        "url": "https://github.com/advisories/GHSA-m238-fmcw-wh58",
+        "severity": "high",
+        "published_date": "2025-02-14"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-25297",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25297",
+        "severity": "high",
+        "published_date": "2025-02-14"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory (https://github.com/advisories/GHSA-m238-fmcw-wh58, CWE-918) + NVD (CVSS v3.1 7.7; GitHub CNA 8.6). Data-labeling / ML-pipeline platform flaw (Label Studio); introduces the AI data-pipeline import/storage SSRF control NEW-CTRL-105.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Label Studio's S3 storage feature does not validate the custom endpoint URL, letting an attacker reach internal services / cloud metadata via the server (CWE-918 SSRF); fixed in 1.16.0."
+  },
+  "CVE-2022-36551": {
+    "name": "Label Studio Data Import Server-Side Request Forgery",
+    "type": "SSRF",
+    "cvss_score": 6.5,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 6.5 (MEDIUM, PR:L). Label Studio's Data Import module fetches a user-supplied URL without restriction, so an authenticated user (self-registration is enabled by default, so effectively any remote attacker) reads arbitrary files / reaches internal services via the server (CWE-918 SSRF).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-pc6f-259w-w3j6): point the Data Import URL fetch at an internal address / cloud-metadata endpoint and the Label Studio server issues the request.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the GitHub Security Advisory (https://github.com/advisories/GHSA-pc6f-259w-w3j6). The abused surface is Label Studio, a widely used data-labeling / annotation platform in ML pipelines.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is an unvalidated server-side fetch in an ML data-pipeline platform's Data Import URL fetch.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Label Studio before 1.6.0.",
+    "affected_versions": [
+      "Label Studio < 1.6.0"
+    ],
+    "vector": "Label Studio's Data Import module fetches a user-supplied URL with no destination restriction, so a user (self-registration is on by default, so any remote attacker can obtain an account) supplies file:// or internal URLs and the server reads arbitrary files or reaches internal services - a server-side request forgery (CWE-918).",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:L - network-reachable; requires an account, but self-registration is on by default.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 1.6.0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Label Studio to 1.6.0 or later. Validate and allowlist destinations for the Data Import URL fetch (block private/link-local/cloud-metadata addresses and file:// schemes), and disable self-registration if not required."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SC-7": "Boundary protection does not treat the ML data platform's server-side fetch (Data Import URL fetch) as an egress that can reach internal services.",
+      "NIST-800-53-SI-10": "Input validation is not applied to the user-supplied URL/endpoint before the server fetches it.",
+      "NIST-800-53-AC-3": "Access enforcement does not constrain who can configure a server-side fetch, and self-registration lets any remote user reach it.",
+      "ISO-27001-2022-A.8.22": "Network segregation is bypassed: the platform fetches attacker-chosen internal URLs server-side.",
+      "NIS2-Art21-network-security": "Network-security measures do not enumerate ML data-platform SSRF as an internal-pivot surface.",
+      "DORA-Art-9": "ICT protection measures do not model server-side request forgery from an ML data platform as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating server-side fetch destinations in ML data platforms.",
+      "AU-ISM-1546": "Patch-application control does not single out ML data-labeling platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML data-pipeline platform's import/storage URL fetch as an egress that must validate and allowlist destinations."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1090"
+    ],
+    "rwep_score": 21,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 16,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate (RWEP 21, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3): poc_available=20 + blast_radius=16 (SSRF - internal reach / data exfil, not direct RCE), minus patch_available 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2022-36551",
+    "cwe_refs": [
+      "CWE-918"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Label Studio Data Import URL fetch configured with an internal/private address, cloud-metadata endpoint (169.254.169.254), or file:// URL.",
+        "Outbound requests from the Label Studio server to internal services or metadata endpoints not part of normal operation.",
+        "Label Studio < 1.6.0 with self-registration enabled (default) - any remote attacker can obtain an account and reach the import SSRF."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory (https://github.com/advisories/GHSA-pc6f-259w-w3j6) and NVD CVE-2022-36551 (CWE-918)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2022-36551",
+      "https://github.com/advisories/GHSA-pc6f-259w-w3j6"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2022-36551",
+        "url": "https://github.com/advisories/GHSA-pc6f-259w-w3j6",
+        "severity": "high",
+        "published_date": "2022-10-04"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2022-36551",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36551",
+        "severity": "medium",
+        "published_date": "2022-10-04"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory (https://github.com/advisories/GHSA-pc6f-259w-w3j6, CWE-918) + NVD (CVSS v3.1 6.5). Data-labeling / ML-pipeline platform flaw (Label Studio); introduces the AI data-pipeline import/storage SSRF control NEW-CTRL-105.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Label Studio's Data Import fetches user-supplied URLs without restriction (self-registration on by default), letting a remote attacker read files / reach internal services via the server (CWE-918 SSRF); fixed in 1.6.0."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -1868,10 +1868,12 @@
       "CVE-2021-22054",
       "CVE-2021-22175",
       "CVE-2021-39935",
+      "CVE-2022-36551",
       "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2024-6587",
+      "CVE-2025-25297",
       "CVE-2025-61884"
     ],
     "framework_controls_partially_addressing": [

package/data/framework-control-gaps.json

@@ -35,6 +35,7 @@
     "opened_date": "2026-01-01",
     "evidence_cves": [
       "CVE-2022-1471",
+      "CVE-2022-36551",
       "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2023-51449",
@@ -70,6 +71,7 @@
       "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-23266",
+      "CVE-2025-25297",
       "CVE-2025-27520",
       "CVE-2025-30165",
       "CVE-2025-30202",
@@ -1238,9 +1240,11 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
+      "CVE-2022-36551",
       "CVE-2024-0132",
       "CVE-2024-21626",
-      "CVE-2025-23266"
+      "CVE-2025-23266",
+      "CVE-2025-25297"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -2261,6 +2265,7 @@
     "status": "open",
     "opened_date": "2026-05-01",
     "evidence_cves": [
+      "CVE-2022-36551",
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2023-6038",
@@ -2272,6 +2277,7 @@
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2025-23266",
+      "CVE-2025-25297",
       "CVE-2025-30202",
       "CVE-2025-32444",
       "CVE-2025-53767",
@@ -2343,6 +2349,7 @@
     "status": "open",
     "opened_date": "2026-05-13",
     "evidence_cves": [
+      "CVE-2022-36551",
       "CVE-2023-44467",
       "CVE-2024-0129",
       "CVE-2024-11392",
@@ -2366,6 +2373,7 @@
       "CVE-2025-1550",
       "CVE-2025-1753",
       "CVE-2025-23254",
+      "CVE-2025-25297",
       "CVE-2025-27520",
       "CVE-2025-30165",
       "CVE-2025-32434",
@@ -5052,6 +5060,7 @@
     "opened_date": "2026-05-15",
     "evidence_cves": [
       "CVE-2022-1471",
+      "CVE-2022-36551",
       "CVE-2023-43654",
       "CVE-2023-44467",
       "CVE-2023-48022",
@@ -5090,6 +5099,7 @@
       "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-23266",
+      "CVE-2025-25297",
       "CVE-2025-27520",
       "CVE-2025-30165",
       "CVE-2025-30202",
@@ -5167,8 +5177,10 @@
     "status": "open",
     "opened_date": "2026-05-15",
     "evidence_cves": [
+      "CVE-2022-36551",
       "CVE-2023-6038",
       "CVE-2024-1709",
+      "CVE-2025-25297",
       "CVE-2025-3248",
       "CVE-2026-33017",
       "CVE-2026-39987",
@@ -5625,6 +5637,7 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
+      "CVE-2022-36551",
       "CVE-2023-44467",
       "CVE-2023-51449",
       "CVE-2023-6016",
@@ -5657,6 +5670,7 @@
       "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-23266",
+      "CVE-2025-25297",
       "CVE-2025-27520",
       "CVE-2025-30165",
       "CVE-2025-30202",
@@ -5725,6 +5739,7 @@
     "opened_date": "2026-05-17",
     "evidence_cves": [
       "CVE-2022-1471",
+      "CVE-2022-36551",
       "CVE-2023-43654",
       "CVE-2023-44467",
       "CVE-2023-48022",
@@ -5763,6 +5778,7 @@
       "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-23266",
+      "CVE-2025-25297",
       "CVE-2025-27520",
       "CVE-2025-30165",
       "CVE-2025-30202",
@@ -6208,7 +6224,9 @@
     "status": "open",
     "opened_date": "2026-05-18",
     "evidence_cves": [
+      "CVE-2022-36551",
       "CVE-2024-21762",
+      "CVE-2025-25297",
       "CVE-2026-20182"
     ],
     "atlas_refs": [],

package/data/zeroday-lessons.json

@@ -4561,6 +4561,106 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2025-25297": {
+    "name": "Label Studio S3 Storage Endpoint Server-Side Request Forgery",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Label Studio's S3 cloud-storage integration accepts a custom endpoint URL without validation, so an attacker points it at internal services or cloud metadata and the server issues the request, leaking data via the responses.",
+      "privileges_required": "low (an account; self-registration is on by default in the data-import case)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is Label Studio, a data-labeling / annotation platform central to ML data pipelines. The lesson: an ML data platform's server-side fetches (import URLs, storage endpoints) are an egress that must validate and allowlist destinations, or they become an SSRF pivot into internal networks and cloud metadata."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Boundary protection does not treat the ML data platform's server-side fetch as an egress that can reach internal services."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation is applied to the user-supplied URL/endpoint before the server fetches it."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML data-pipeline platform's import/storage URL fetch as an egress that must validate and allowlist destinations."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "ML data-labeling platforms are deployed inside trusted networks and import from arbitrary URLs/storage endpoints by design; their server-side fetches are not destination-validated.",
+      "theater_pattern": "ai_data_pipeline_ssrf_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-105",
+        "name": "AI-DATA-PIPELINE-IMPORT-SSRF-PROTECTION",
+        "description": "An AI data-pipeline platform that fetches from caller-supplied URLs or endpoints (data import, cloud-storage endpoint configuration, webhook/annotation sources) must validate and allowlist the destination before issuing the request: reject private, link-local, and cloud-metadata addresses (169.254.169.254), reject file:// and non-HTTP schemes, and resolve+pin the host to prevent DNS-rebinding. Restrict who can configure server-side fetches and disable self-registration if not required. The distinguishing test: configure the import/storage URL to an internal or cloud-metadata address on a staging instance and confirm the server refuses the fetch - a platform that issues the request and returns the response is exploitable for SSRF / internal pivot, regardless of authentication posture.",
+        "evidence": "https://github.com/advisories/GHSA-m238-fmcw-wh58",
+        "gap_closes": [
+          "NIST-800-53-SC-7",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2022-36551": {
+    "name": "Label Studio Data Import Server-Side Request Forgery",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Label Studio's Data Import module fetches a user-supplied URL with no destination restriction; with self-registration on by default, any remote attacker supplies internal or file:// URLs and the server reads arbitrary files / reaches internal services.",
+      "privileges_required": "low (an account; self-registration is on by default in the data-import case)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is Label Studio, a data-labeling / annotation platform central to ML data pipelines. The lesson: an ML data platform's server-side fetches (import URLs, storage endpoints) are an egress that must validate and allowlist destinations, or they become an SSRF pivot into internal networks and cloud metadata."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Boundary protection does not treat the ML data platform's server-side fetch as an egress that can reach internal services."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation is applied to the user-supplied URL/endpoint before the server fetches it."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML data-pipeline platform's import/storage URL fetch as an egress that must validate and allowlist destinations."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 78,
+      "basis": "ML data-labeling platforms are deployed inside trusted networks and import from arbitrary URLs/storage endpoints by design; their server-side fetches are not destination-validated.",
+      "theater_pattern": "ai_data_pipeline_ssrf_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-105",
+        "name": "AI-DATA-PIPELINE-IMPORT-SSRF-PROTECTION",
+        "description": "An AI data-pipeline platform that fetches from caller-supplied URLs or endpoints (data import, cloud-storage endpoint configuration, webhook/annotation sources) must validate and allowlist the destination before issuing the request: reject private, link-local, and cloud-metadata addresses (169.254.169.254), reject file:// and non-HTTP schemes, and resolve+pin the host to prevent DNS-rebinding. Restrict who can configure server-side fetches and disable self-registration if not required. The distinguishing test: configure the import/storage URL to an internal or cloud-metadata address on a staging instance and confirm the server refuses the fetch - a platform that issues the request and returns the response is exploitable for SSRF / internal pivot, regardless of authentication posture.",
+        "evidence": "https://github.com/advisories/GHSA-pc6f-259w-w3j6",
+        "gap_closes": [
+          "NIST-800-53-SC-7",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2024-37060": {
     "name": "MLflow Recipe Deserialization Remote Code Execution",
     "lesson_date": "2026-05-25",