@blamejs/exceptd-skills 0.13.107 → 0.13.109

package/data/framework-control-gaps.json

@@ -35,7 +35,10 @@
     "opened_date": "2026-01-01",
     "evidence_cves": [
       "CVE-2022-1471",
+      "CVE-2022-36551",
       "CVE-2023-43654",
+      "CVE-2023-43791",
+      "CVE-2023-47117",
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2023-6016",
@@ -70,6 +73,7 @@
       "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-23266",
+      "CVE-2025-25297",
       "CVE-2025-27520",
       "CVE-2025-30165",
       "CVE-2025-30202",
@@ -1238,9 +1242,11 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
+      "CVE-2022-36551",
       "CVE-2024-0132",
       "CVE-2024-21626",
-      "CVE-2025-23266"
+      "CVE-2025-23266",
+      "CVE-2025-25297"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -2194,6 +2200,8 @@
     "opened_date": "2026-04-01",
     "evidence_cves": [
       "BUG-2026-NIGHTMARE-ECLIPSE-YELLOWKEY",
+      "CVE-2023-43791",
+      "CVE-2023-47117",
       "CVE-2025-14847",
       "CVE-2025-22226",
       "CVE-2026-43284"
@@ -2261,6 +2269,7 @@
     "status": "open",
     "opened_date": "2026-05-01",
     "evidence_cves": [
+      "CVE-2022-36551",
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2023-6038",
@@ -2272,6 +2281,7 @@
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2025-23266",
+      "CVE-2025-25297",
       "CVE-2025-30202",
       "CVE-2025-32444",
       "CVE-2025-53767",
@@ -2343,6 +2353,7 @@
     "status": "open",
     "opened_date": "2026-05-13",
     "evidence_cves": [
+      "CVE-2022-36551",
       "CVE-2023-44467",
       "CVE-2024-0129",
       "CVE-2024-11392",
@@ -2366,6 +2377,7 @@
       "CVE-2025-1550",
       "CVE-2025-1753",
       "CVE-2025-23254",
+      "CVE-2025-25297",
       "CVE-2025-27520",
       "CVE-2025-30165",
       "CVE-2025-32434",
@@ -3831,6 +3843,8 @@
     "evidence_cves": [
       "CVE-2022-1471",
       "CVE-2023-43654",
+      "CVE-2023-43791",
+      "CVE-2023-47117",
       "CVE-2023-48022",
       "CVE-2023-6019",
       "CVE-2023-6021",
@@ -5052,8 +5066,11 @@
     "opened_date": "2026-05-15",
     "evidence_cves": [
       "CVE-2022-1471",
+      "CVE-2022-36551",
       "CVE-2023-43654",
+      "CVE-2023-43791",
       "CVE-2023-44467",
+      "CVE-2023-47117",
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2023-6016",
@@ -5090,6 +5107,7 @@
       "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-23266",
+      "CVE-2025-25297",
       "CVE-2025-27520",
       "CVE-2025-30165",
       "CVE-2025-30202",
@@ -5167,8 +5185,12 @@
     "status": "open",
     "opened_date": "2026-05-15",
     "evidence_cves": [
+      "CVE-2022-36551",
+      "CVE-2023-43791",
+      "CVE-2023-47117",
       "CVE-2023-6038",
       "CVE-2024-1709",
+      "CVE-2025-25297",
       "CVE-2025-3248",
       "CVE-2026-33017",
       "CVE-2026-39987",
@@ -5462,6 +5484,8 @@
     "status": "open",
     "opened_date": "2026-05-15",
     "evidence_cves": [
+      "CVE-2023-43791",
+      "CVE-2023-47117",
       "CVE-2023-6016",
       "CVE-2023-6038",
       "CVE-2025-3248",
@@ -5625,7 +5649,10 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
+      "CVE-2022-36551",
+      "CVE-2023-43791",
       "CVE-2023-44467",
+      "CVE-2023-47117",
       "CVE-2023-51449",
       "CVE-2023-6016",
       "CVE-2023-6038",
@@ -5657,6 +5684,7 @@
       "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-23266",
+      "CVE-2025-25297",
       "CVE-2025-27520",
       "CVE-2025-30165",
       "CVE-2025-30202",
@@ -5725,8 +5753,11 @@
     "opened_date": "2026-05-17",
     "evidence_cves": [
       "CVE-2022-1471",
+      "CVE-2022-36551",
       "CVE-2023-43654",
+      "CVE-2023-43791",
       "CVE-2023-44467",
+      "CVE-2023-47117",
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2023-6016",
@@ -5763,6 +5794,7 @@
       "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-23266",
+      "CVE-2025-25297",
       "CVE-2025-27520",
       "CVE-2025-30165",
       "CVE-2025-30202",
@@ -6009,6 +6041,8 @@
     "opened_date": "2026-05-18",
     "evidence_cves": [
       "CVE-2020-10148",
+      "CVE-2023-43791",
+      "CVE-2023-47117",
       "CVE-2023-48022",
       "CVE-2023-6038",
       "CVE-2025-3248",
@@ -6208,7 +6242,9 @@
     "status": "open",
     "opened_date": "2026-05-18",
     "evidence_cves": [
+      "CVE-2022-36551",
       "CVE-2024-21762",
+      "CVE-2025-25297",
       "CVE-2026-20182"
     ],
     "atlas_refs": [],

package/data/zeroday-lessons.json

@@ -4561,6 +4561,206 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2025-25297": {
+    "name": "Label Studio S3 Storage Endpoint Server-Side Request Forgery",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Label Studio's S3 cloud-storage integration accepts a custom endpoint URL without validation, so an attacker points it at internal services or cloud metadata and the server issues the request, leaking data via the responses.",
+      "privileges_required": "low (an account; self-registration is on by default in the data-import case)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is Label Studio, a data-labeling / annotation platform central to ML data pipelines. The lesson: an ML data platform's server-side fetches (import URLs, storage endpoints) are an egress that must validate and allowlist destinations, or they become an SSRF pivot into internal networks and cloud metadata."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Boundary protection does not treat the ML data platform's server-side fetch as an egress that can reach internal services."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation is applied to the user-supplied URL/endpoint before the server fetches it."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML data-pipeline platform's import/storage URL fetch as an egress that must validate and allowlist destinations."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "ML data-labeling platforms are deployed inside trusted networks and import from arbitrary URLs/storage endpoints by design; their server-side fetches are not destination-validated.",
+      "theater_pattern": "ai_data_pipeline_ssrf_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-105",
+        "name": "AI-DATA-PIPELINE-IMPORT-SSRF-PROTECTION",
+        "description": "An AI data-pipeline platform that fetches from caller-supplied URLs or endpoints (data import, cloud-storage endpoint configuration, webhook/annotation sources) must validate and allowlist the destination before issuing the request: reject private, link-local, and cloud-metadata addresses (169.254.169.254), reject file:// and non-HTTP schemes, and resolve+pin the host to prevent DNS-rebinding. Restrict who can configure server-side fetches and disable self-registration if not required. The distinguishing test: configure the import/storage URL to an internal or cloud-metadata address on a staging instance and confirm the server refuses the fetch - a platform that issues the request and returns the response is exploitable for SSRF / internal pivot, regardless of authentication posture.",
+        "evidence": "https://github.com/advisories/GHSA-m238-fmcw-wh58",
+        "gap_closes": [
+          "NIST-800-53-SC-7",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2023-47117": {
+    "name": "Label Studio ORM Filter Manipulation Sensitive-Field Disclosure",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Label Studio passes user-controlled task filters into a Django ORM query without restricting referenced fields, so an attacker reads sensitive fields (password hashes, tokens) from all user accounts.",
+      "privileges_required": "none (unauthenticated field disclosure)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is Label Studio, a data-labeling / annotation platform central to ML data pipelines. The lesson: an ML data-platform API must enforce object-level authorization and never expose sensitive fields - this CVE supplies the leaked credentials in a privilege-escalation chain that ends in full account takeover."
+    },
+    "framework_coverage": {
+      "NIST-800-53-AC-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Access enforcement does not constrain which records/fields a user can read through the API."
+      },
+      "NIST-800-53-SC-28": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Sensitive fields (password hashes, tokens) are readable through the API and directly usable once leaked."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML data-platform API's object-level authorization and sensitive-field exposure as integrity controls whose failure yields account takeover."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "ML data-labeling platforms expose rich APIs over collaborative datasets; object-level authorization and serializer field allowlisting are frequently missing, and audits rarely test cross-account field reads.",
+      "theater_pattern": "ai_app_broken_object_authorization"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-106",
+        "name": "AI-APP-API-OBJECT-AUTHORIZATION-AND-FIELD-EXPOSURE",
+        "description": "An AI data-platform API (data-labeling, annotation, dataset/registry services) must enforce object-level authorization on every read and must never expose sensitive fields - secrets, session-signing keys, auth tokens, password hashes - through API responses, serializers, or user-controlled query/filter expressions. Use serializer field allowlists (never blanket model serialization), reject ORM/filter inputs that reference fields the caller is not authorized to read, scope every query to the caller's own objects, and store credentials so a read leak is not directly replayable (and rotate exposed secrets). The distinguishing test: as a low-privilege user, craft a filter/query that references another account's password hash or token, and confirm the API refuses it - a platform whose filter/serializer leaks sensitive fields lets an attacker chain disclosure into account impersonation and privilege escalation.",
+        "evidence": "https://github.com/advisories/GHSA-6hjj-gq77-j4qw",
+        "gap_closes": [
+          "NIST-800-53-AC-3",
+          "NIST-800-53-SC-28",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2023-43791": {
+    "name": "Label Studio Account Impersonation and Privilege Escalation",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Label Studio exposes information that, chained with the ORM sensitive-field leak (CVE-2023-47117), lets an attacker impersonate any account and escalate from a low-privilege user to a Django super administrator.",
+      "privileges_required": "low (a low-privilege account; the chain reaches Django superadmin)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is Label Studio, a data-labeling / annotation platform central to ML data pipelines. The lesson: an ML data-platform API must enforce object-level authorization and never expose sensitive fields - this CVE replays the leaked credentials to impersonate and escalate in a privilege-escalation chain that ends in full account takeover."
+    },
+    "framework_coverage": {
+      "NIST-800-53-AC-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Access enforcement does not constrain which records/fields a user can read through the API."
+      },
+      "NIST-800-53-SC-28": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Sensitive fields (password hashes, tokens) are readable through the API and directly usable once leaked."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML data-platform API's object-level authorization and sensitive-field exposure as integrity controls whose failure yields account takeover."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "ML data-labeling platforms expose rich APIs over collaborative datasets; object-level authorization and serializer field allowlisting are frequently missing, and audits rarely test cross-account field reads.",
+      "theater_pattern": "ai_app_broken_object_authorization"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-106",
+        "name": "AI-APP-API-OBJECT-AUTHORIZATION-AND-FIELD-EXPOSURE",
+        "description": "An AI data-platform API (data-labeling, annotation, dataset/registry services) must enforce object-level authorization on every read and must never expose sensitive fields - secrets, session-signing keys, auth tokens, password hashes - through API responses, serializers, or user-controlled query/filter expressions. Use serializer field allowlists (never blanket model serialization), reject ORM/filter inputs that reference fields the caller is not authorized to read, scope every query to the caller's own objects, and store credentials so a read leak is not directly replayable (and rotate exposed secrets). The distinguishing test: as a low-privilege user, craft a filter/query that references another account's password hash or token, and confirm the API refuses it - a platform whose filter/serializer leaks sensitive fields lets an attacker chain disclosure into account impersonation and privilege escalation.",
+        "evidence": "https://github.com/advisories/GHSA-f475-x83m-rx5m",
+        "gap_closes": [
+          "NIST-800-53-AC-3",
+          "NIST-800-53-SC-28",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2022-36551": {
+    "name": "Label Studio Data Import Server-Side Request Forgery",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Label Studio's Data Import module fetches a user-supplied URL with no destination restriction; with self-registration on by default, any remote attacker supplies internal or file:// URLs and the server reads arbitrary files / reaches internal services.",
+      "privileges_required": "low (an account; self-registration is on by default in the data-import case)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is Label Studio, a data-labeling / annotation platform central to ML data pipelines. The lesson: an ML data platform's server-side fetches (import URLs, storage endpoints) are an egress that must validate and allowlist destinations, or they become an SSRF pivot into internal networks and cloud metadata."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Boundary protection does not treat the ML data platform's server-side fetch as an egress that can reach internal services."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation is applied to the user-supplied URL/endpoint before the server fetches it."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML data-pipeline platform's import/storage URL fetch as an egress that must validate and allowlist destinations."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 78,
+      "basis": "ML data-labeling platforms are deployed inside trusted networks and import from arbitrary URLs/storage endpoints by design; their server-side fetches are not destination-validated.",
+      "theater_pattern": "ai_data_pipeline_ssrf_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-105",
+        "name": "AI-DATA-PIPELINE-IMPORT-SSRF-PROTECTION",
+        "description": "An AI data-pipeline platform that fetches from caller-supplied URLs or endpoints (data import, cloud-storage endpoint configuration, webhook/annotation sources) must validate and allowlist the destination before issuing the request: reject private, link-local, and cloud-metadata addresses (169.254.169.254), reject file:// and non-HTTP schemes, and resolve+pin the host to prevent DNS-rebinding. Restrict who can configure server-side fetches and disable self-registration if not required. The distinguishing test: configure the import/storage URL to an internal or cloud-metadata address on a staging instance and confirm the server refuses the fetch - a platform that issues the request and returns the response is exploitable for SSRF / internal pivot, regardless of authentication posture.",
+        "evidence": "https://github.com/advisories/GHSA-pc6f-259w-w3j6",
+        "gap_closes": [
+          "NIST-800-53-SC-7",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2024-37060": {
     "name": "MLflow Recipe Deserialization Remote Code Execution",
     "lesson_date": "2026-05-25",