@blamejs/exceptd-skills 0.13.112 → 0.13.114

package/data/framework-control-gaps.json

@@ -52,6 +52,7 @@
       "CVE-2024-11393",
       "CVE-2024-11394",
       "CVE-2024-12366",
+      "CVE-2024-12776",
       "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21575",
@@ -73,6 +74,7 @@
       "CVE-2024-9526",
       "CVE-2025-1550",
       "CVE-2025-1753",
+      "CVE-2025-1796",
       "CVE-2025-23254",
       "CVE-2025-23266",
       "CVE-2025-25297",
@@ -84,8 +86,10 @@
       "CVE-2025-3248",
       "CVE-2025-33236",
       "CVE-2025-34291",
+      "CVE-2025-3466",
       "CVE-2025-49596",
       "CVE-2025-54136",
+      "CVE-2025-56520",
       "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-64513",
@@ -1250,7 +1254,8 @@
       "CVE-2024-0132",
       "CVE-2024-21626",
       "CVE-2025-23266",
-      "CVE-2025-25297"
+      "CVE-2025-25297",
+      "CVE-2025-56520"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -1297,6 +1302,7 @@
       "CVE-2025-1094",
       "CVE-2025-27520",
       "CVE-2025-3248",
+      "CVE-2025-3466",
       "CVE-2025-6965",
       "CVE-2026-30623",
       "CVE-2026-31229",
@@ -2135,6 +2141,7 @@
       "CVE-2024-5565",
       "CVE-2025-27520",
       "CVE-2025-3248",
+      "CVE-2025-3466",
       "CVE-2025-49844",
       "CVE-2025-53773",
       "CVE-2026-30615",
@@ -2295,6 +2302,7 @@
       "CVE-2025-30202",
       "CVE-2025-32444",
       "CVE-2025-53767",
+      "CVE-2025-56520",
       "CVE-2026-34159",
       "CVE-2026-42897"
     ],
@@ -2394,6 +2402,8 @@
       "CVE-2025-30165",
       "CVE-2025-32434",
       "CVE-2025-33236",
+      "CVE-2025-3466",
+      "CVE-2025-56520",
       "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-67818",
@@ -2856,6 +2866,7 @@
       "CVE-2025-11837",
       "CVE-2025-27520",
       "CVE-2025-3248",
+      "CVE-2025-3466",
       "CVE-2026-22778",
       "CVE-2026-32202",
       "CVE-2026-33017",
@@ -3866,8 +3877,10 @@
       "CVE-2023-48022",
       "CVE-2023-6019",
       "CVE-2023-6021",
+      "CVE-2024-12776",
       "CVE-2024-4889",
       "CVE-2024-6587",
+      "CVE-2025-1796",
       "CVE-2025-64513",
       "CVE-2026-24206",
       "CVE-2026-24207",
@@ -5050,6 +5063,7 @@
       "CVE-2024-5565",
       "CVE-2024-9526",
       "CVE-2025-27520",
+      "CVE-2025-3466",
       "CVE-2026-0300",
       "CVE-2026-42945"
     ],
@@ -5104,6 +5118,7 @@
       "CVE-2024-11393",
       "CVE-2024-11394",
       "CVE-2024-12366",
+      "CVE-2024-12776",
       "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21513",
@@ -5127,6 +5142,7 @@
       "CVE-2024-9526",
       "CVE-2025-1550",
       "CVE-2025-1753",
+      "CVE-2025-1796",
       "CVE-2025-23254",
       "CVE-2025-23266",
       "CVE-2025-25297",
@@ -5138,8 +5154,10 @@
       "CVE-2025-3248",
       "CVE-2025-33236",
       "CVE-2025-34291",
+      "CVE-2025-3466",
       "CVE-2025-49596",
       "CVE-2025-54136",
+      "CVE-2025-56520",
       "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-64513",
@@ -5213,9 +5231,13 @@
       "CVE-2023-43791",
       "CVE-2023-47117",
       "CVE-2023-6038",
+      "CVE-2024-12776",
       "CVE-2024-1709",
+      "CVE-2025-1796",
       "CVE-2025-25297",
       "CVE-2025-3248",
+      "CVE-2025-3466",
+      "CVE-2025-56520",
       "CVE-2026-33017",
       "CVE-2026-39987",
       "CVE-2026-7482"
@@ -5512,6 +5534,8 @@
       "CVE-2023-47117",
       "CVE-2023-6016",
       "CVE-2023-6038",
+      "CVE-2024-12776",
+      "CVE-2025-1796",
       "CVE-2025-3248",
       "CVE-2026-33017",
       "CVE-2026-6973"
@@ -5719,8 +5743,10 @@
       "CVE-2025-3248",
       "CVE-2025-33236",
       "CVE-2025-34291",
+      "CVE-2025-3466",
       "CVE-2025-49596",
       "CVE-2025-54136",
+      "CVE-2025-56520",
       "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-67818",
@@ -5799,6 +5825,7 @@
       "CVE-2024-11393",
       "CVE-2024-11394",
       "CVE-2024-12366",
+      "CVE-2024-12776",
       "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21513",
@@ -5822,6 +5849,7 @@
       "CVE-2024-9526",
       "CVE-2025-1550",
       "CVE-2025-1753",
+      "CVE-2025-1796",
       "CVE-2025-23254",
       "CVE-2025-23266",
       "CVE-2025-25297",
@@ -5833,8 +5861,10 @@
       "CVE-2025-3248",
       "CVE-2025-33236",
       "CVE-2025-34291",
+      "CVE-2025-3466",
       "CVE-2025-49596",
       "CVE-2025-54136",
+      "CVE-2025-56520",
       "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-64513",
@@ -6079,6 +6109,8 @@
       "CVE-2023-47117",
       "CVE-2023-48022",
       "CVE-2023-6038",
+      "CVE-2024-12776",
+      "CVE-2025-1796",
       "CVE-2025-3248",
       "CVE-2025-55241",
       "CVE-2026-24206",
@@ -6155,10 +6187,12 @@
       "CVE-2023-6019",
       "CVE-2023-6021",
       "CVE-2023-6038",
+      "CVE-2024-12776",
       "CVE-2024-1709",
       "CVE-2024-2912",
       "CVE-2024-4889",
       "CVE-2024-6587",
+      "CVE-2025-1796",
       "CVE-2025-27520",
       "CVE-2025-3248",
       "CVE-2025-64513",
@@ -6279,6 +6313,7 @@
       "CVE-2022-36551",
       "CVE-2024-21762",
       "CVE-2025-25297",
+      "CVE-2025-56520",
       "CVE-2026-20182"
     ],
     "atlas_refs": [],

package/data/zeroday-lessons.json

@@ -4761,6 +4761,206 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2025-3466": {
+    "name": "Dify Code Node Sandbox Escape to Remote Code Execution",
+    "lesson_date": "2026-05-26",
+    "attack_vector": {
+      "description": "Dify's code node runs user-supplied code in a sandbox, but unsanitized input lets an attacker override global functions (e.g. parseInt) before the sandbox restrictions are imposed, escaping the sandbox and executing arbitrary code with root-level access.",
+      "privileges_required": "low (author a workflow code node; the chain reaches root)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is Dify, a low-code LLM application-development platform. The lesson: an app builder's code node is a code-execution surface whose sandbox must be initialized before any user input is evaluated and must resist escape."
+    },
+    "framework_coverage": {
+      "NIST-800-53-AC-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Access enforcement does not constrain who can author a code node reaching a code-execution sandbox."
+      },
+      "NIST-800-53-SI-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Malicious-code protection does not treat the LLM app builder's code node as an escapable execution sandbox."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an LLM app builder's code node as a privileged execution surface whose sandbox must be escape-resistant."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "Low-code LLM platforms expose code nodes for flexibility; sandbox-initialization ordering and authorship restrictions are rarely audited.",
+      "theater_pattern": "ai_app_builder_unauth_exec"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-103",
+        "name": "AI-APP-BUILDER-EXECUTION-ENDPOINT-AUTH-AND-SANDBOX",
+        "description": "A visual LLM app/agent builder (Langflow, Flowise, and similar) must authenticate every endpoint that can reach a code-execution path - validate-code, flow-build, flow-run, public-flow endpoints - and must never run flow-supplied or request-supplied code through a compile-and-run / dynamic-evaluation path with host privileges. Place the builder behind authenticated access control, never expose it to untrusted networks, and sandbox any code the platform executes on a user's behalf (no filesystem/network/process access beyond the flow's intent). The distinguishing test: send an unauthenticated request to each flow validate/build/run endpoint on a staging instance with a payload that attempts a non-flow action (a shell or network call) and confirm it is refused before any code runs - paper 'AI platform' policies that leave a public endpoint wired to a code-execution sink still permit unauthenticated RCE.",
+        "evidence": "https://www.vulncheck.com/blog/langflow-rce",
+        "gap_closes": [
+          "NIST-800-53-AC-3",
+          "NIST-800-53-SI-3",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-1796": {
+    "name": "Dify Weak-PRNG Password Reset Account Takeover",
+    "lesson_date": "2026-05-26",
+    "attack_vector": {
+      "description": "Dify generates password-reset codes with a weak PRNG (random.randint) rather than a cryptographically secure RNG, so an attacker predicts the reset code and takes over any account, including administrators.",
+      "privileges_required": "low (an account to trigger the predictable reset; takeover reaches admin)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is Dify, a low-code LLM application-development platform. The lesson: an AI app's password-recovery flow is an authentication-integrity control - the predictable reset-code half of a takeover chain that ends in full admin control; reset tokens must be CSPRNG-generated AND verified server-side."
+    },
+    "framework_coverage": {
+      "NIST-800-53-IA-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The LLM app's password-recovery flow lets an attacker authenticate as any user, including admin."
+      },
+      "NIST-800-53-AC-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "A predictable reset code grants control of any account."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an LLM app platform's password-recovery flow as an authentication-integrity control whose failure yields full account takeover."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "LLM app platforms ship self-service password recovery; reset-token generation and verification are rarely audited, and weak PRNG / missing verification persist.",
+      "theater_pattern": "ai_app_weak_password_recovery"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-108",
+        "name": "AI-APP-PASSWORD-RECOVERY-INTEGRITY",
+        "description": "An AI application's password-reset / account-recovery flow must (1) generate reset tokens with a cryptographically secure RNG (e.g. secrets / os.urandom - never random.randint or another predictable PRNG), making them long, single-use, and short-lived; and (2) verify the reset token server-side, bound to the requesting account, before accepting a new password - the reset endpoint must never perform a reset without a valid, matching, unexpired token. Rate-limit reset attempts. The distinguishing test: on a staging instance, request a reset and confirm the code is unpredictable across requests, and confirm POSTing to the reset endpoint with a wrong/absent code is rejected - an AI app whose recovery flow uses a weak PRNG or skips token verification permits takeover of any account, including administrators.",
+        "evidence": "https://github.com/advisories/GHSA-cvg9-334x-w586",
+        "gap_closes": [
+          "NIST-800-53-IA-2",
+          "NIST-800-53-AC-3",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-12776": {
+    "name": "Dify Unverified Password-Reset Endpoint Account Takeover",
+    "lesson_date": "2026-05-26",
+    "attack_vector": {
+      "description": "Dify's /forgot-password/resets endpoint does not verify the reset code before allowing a password reset, so an attacker resets any user's password (including admin) without a valid code.",
+      "privileges_required": "none (unauthenticated reset of any account)",
+      "complexity": "high",
+      "ai_factor": "The abused surface is Dify, a low-code LLM application-development platform. The lesson: an AI app's password-recovery flow is an authentication-integrity control - the unverified-reset-endpoint half of a takeover chain that ends in full admin control; reset tokens must be CSPRNG-generated AND verified server-side."
+    },
+    "framework_coverage": {
+      "NIST-800-53-IA-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The LLM app's password-recovery flow lets an attacker authenticate as any user, including admin."
+      },
+      "NIST-800-53-AC-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "An unverified reset endpoint grants control of any account."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an LLM app platform's password-recovery flow as an authentication-integrity control whose failure yields full account takeover."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "LLM app platforms ship self-service password recovery; reset-token generation and verification are rarely audited, and weak PRNG / missing verification persist.",
+      "theater_pattern": "ai_app_weak_password_recovery"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-108",
+        "name": "AI-APP-PASSWORD-RECOVERY-INTEGRITY",
+        "description": "An AI application's password-reset / account-recovery flow must (1) generate reset tokens with a cryptographically secure RNG (e.g. secrets / os.urandom - never random.randint or another predictable PRNG), making them long, single-use, and short-lived; and (2) verify the reset token server-side, bound to the requesting account, before accepting a new password - the reset endpoint must never perform a reset without a valid, matching, unexpired token. Rate-limit reset attempts. The distinguishing test: on a staging instance, request a reset and confirm the code is unpredictable across requests, and confirm POSTing to the reset endpoint with a wrong/absent code is rejected - an AI app whose recovery flow uses a weak PRNG or skips token verification permits takeover of any account, including administrators.",
+        "evidence": "https://github.com/advisories/GHSA-g394-qpx6-x7rr",
+        "gap_closes": [
+          "NIST-800-53-IA-2",
+          "NIST-800-53-AC-3",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-56520": {
+    "name": "Dify Remote File Upload Server-Side Request Forgery",
+    "lesson_date": "2026-05-26",
+    "attack_vector": {
+      "description": "Dify's RemoteFileUploadApi fetches a user-supplied URL server-side without validating the destination, so an unauthenticated attacker reaches internal services or cloud metadata via the Dify server.",
+      "privileges_required": "none (unauthenticated)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is Dify, a low-code LLM application-development platform. The lesson: an LLM platform's server-side fetches must validate and allowlist destinations or become an SSRF pivot."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Boundary protection does not treat the LLM platform's server-side remote-file fetch as an egress that can reach internal services."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation is applied to the user-supplied URL before the server fetches it."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an LLM platform's remote-file fetch as an egress that must validate and allowlist destinations."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 78,
+      "basis": "LLM platforms fetch from user-supplied URLs (remote file upload) on trusted-network assumptions; the fetch destination is not validated.",
+      "theater_pattern": "ai_data_pipeline_ssrf_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-105",
+        "name": "AI-DATA-PIPELINE-IMPORT-SSRF-PROTECTION",
+        "description": "An AI data-pipeline platform that fetches from caller-supplied URLs or endpoints (data import, cloud-storage endpoint configuration, webhook/annotation sources) must validate and allowlist the destination before issuing the request: reject private, link-local, and cloud-metadata addresses (169.254.169.254), reject file:// and non-HTTP schemes, and resolve+pin the host to prevent DNS-rebinding. Restrict who can configure server-side fetches and disable self-registration if not required. The distinguishing test: configure the import/storage URL to an internal or cloud-metadata address on a staging instance and confirm the server refuses the fetch - a platform that issues the request and returns the response is exploitable for SSRF / internal pivot, regardless of authentication posture.",
+        "evidence": "https://github.com/advisories/GHSA-m238-fmcw-wh58",
+        "gap_closes": [
+          "NIST-800-53-SC-7",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2023-6571": {
     "name": "Kubeflow Reflected XSS",
     "lesson_date": "2026-05-25",