@blamejs/exceptd-skills 0.13.119 → 0.13.121

package/data/cve-catalog.json

@@ -39541,5 +39541,213 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Chainlit /project/element (SQLAlchemy backend) fetches a caller-supplied url server-side and stores the response, letting an authenticated client reach internal services (CWE-918 SSRF); fixed in 2.9.4."
+  },
+  "CVE-2025-68665": {
+    "name": "LangChain JS toJSON() 'lc'-Key Serialization Injection",
+    "type": "deserialization-injection",
+    "cvss_score": 8.6,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
+    "cvss_note": "GitHub (CNA, security-advisories@github.com) CVSS v3.1 base 8.6 (scope-changed, S:C); NVD v3.1 base 9.1. LangChain JS's toJSON() (and JSON.stringify of LangChain objects) did not escape free-form kwargs data containing the internal 'lc' marker key, so attacker-controlled data carrying that key structure is treated as a legitimate serialized LangChain object on deserialization rather than plain user data (CWE-502). This is the LangChain-JS sibling of the Python-side CVE-2025-68664 dumps()/dumpd() injection.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the LangChain JS advisory: free-form data with an 'lc' key passed through toJSON()/JSON.stringify is rehydrated as a framework object on load.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the LangChain JS GitHub Security Advisory and enriched by NVD. The abused surface is LangChain JS, a widely used framework for building LLM-powered applications.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization evidence for the JS variant specifically; the flaw is unescaped framework-marker serialization in an LLM framework. (The Python sibling CVE-2025-68664 carries suspected-exploitation + weaponization signals; this JS entry is scored conservatively per the available evidence.)",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "GitHub advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported for the JS variant as of curation, and the CVE is not in CISA KEV (verified against the live catalog).",
+    "affected": "LangChain JS: @langchain/core before 0.3.80 and before 1.1.8; langchain before 0.3.37 and before 1.2.3.",
+    "affected_versions": [
+      "@langchain/core < 0.3.80",
+      "@langchain/core < 1.1.8",
+      "langchain < 0.3.37",
+      "langchain < 1.2.3"
+    ],
+    "vector": "LangChain JS's toJSON() method (and downstream JSON.stringify of LangChain objects) did not escape free-form kwargs data containing the 'lc' marker key that LangChain uses internally to mark serialized objects, so user-controlled data carrying that structure is rehydrated as a legitimate LangChain object during deserialization instead of being kept as plain data (CWE-502 deserialization of untrusted data).",
+    "complexity": "low",
+    "complexity_notes": "GitHub v3.1 AV:N / AC:L / PR:N / UI:N, scope-changed (S:C).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading @langchain/core to 0.3.80 or 1.1.8+ and langchain to 0.3.37 or 1.2.3+; redeploy.",
+    "vendor_update_paths": [
+      "Upgrade @langchain/core to 0.3.80 / 1.1.8 (or later) and langchain to 0.3.37 / 1.2.3 (or later). Never round-trip untrusted free-form data through framework serializers that interpret internal marker keys; escape or reject the 'lc' marker in user-derived fields."
+    ],
+    "framework_control_gaps": {
+      "NIST-AI-RMF-MEASURE-2.7": "Serialization round-trip of untrusted free-form data through a framework marker is not in the published AI-risk taxonomy.",
+      "EU-AI-Act-Art15": "Robustness control does not enumerate the serialization-deserialization chain in an LLM framework as an attack surface.",
+      "ISO-IEC-42001-AIMS-A.6.2.5": "Lifecycle controls do not include trust-zone separation on LLM-framework (de)serialization.",
+      "OWASP-LLM-Top-10-LLM01": "Prompt Injection class — untrusted content reaching the serializer is the upstream trigger.",
+      "OWASP-LLM-Top-10-LLM02": "Insecure output handling — applies directly to rehydrating attacker data as a framework object."
+    },
+    "atlas_refs": [
+      "AML.T0051",
+      "AML.T0040"
+    ],
+    "attack_refs": [
+      "T1059",
+      "T1552"
+    ],
+    "rwep_score": 25,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 20,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate-high (RWEP 25, \"patch within 30 days\" band per lib/scoring.js). Not KEV (verified), no confirmed in-the-wild exploitation for the JS variant, patched (Hard Rule #3): poc_available=20 + blast_radius=20 (unauthenticated scope-changed deserialization injection in a widely used LLM framework), minus patch_available 15. Scored below its Python sibling CVE-2025-68664 (RWEP 52), which additionally carries suspected-exploitation + weaponization signals.",
+    "epss_score": 0.00066,
+    "epss_date": "2026-05-26",
+    "epss_note": "FIRST EPSS 0.00066 (20th percentile) as of 2026-05-26.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-68665",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "LangChain JS applications round-tripping user-controlled free-form data through toJSON() / JSON.stringify where the data contains an 'lc' key.",
+        "Deserialized LangChain objects instantiated from fields that should have been plain user data.",
+        "@langchain/core < 0.3.80 / < 1.1.8 or langchain < 0.3.37 / < 1.2.3 handling untrusted serialized input — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the LangChain JS GitHub Security Advisory and NVD CVE-2025-68665 (CWE-502)."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-68665",
+      "https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcore%401.1.8"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-68665",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68665",
+        "severity": "high",
+        "published_date": "2025-12-23"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-68665",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68665",
+        "severity": "critical",
+        "published_date": "2025-12-23"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from NVD CVE-2025-68665 (CWE-502) + the LangChain JS GitHub Security Advisory (CNA, CVSS v3.1 8.6). LangChain-JS toJSON() serialization injection — the JavaScript sibling of the Python-side CVE-2025-68664; reuses the LLM-output deserialization trust-zone control NEW-CTRL-064 + AI-tool input-sanitization NEW-CTRL-005.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "LangChain JS toJSON() did not escape the internal 'lc' marker in free-form data, so attacker data is rehydrated as a framework object on deserialization (CWE-502); fixed in @langchain/core 1.1.8 / langchain 1.2.3."
+  },
+  "CVE-2025-51480": {
+    "name": "ONNX save_external_data Path Traversal Arbitrary File Overwrite",
+    "type": "Path Traversal",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 8.8 (HIGH). ONNX's onnx.external_data_helper.save_external_data does not validate the external_data 'location' field, so loading/saving a crafted ONNX model writes to an attacker-chosen path outside the intended directory (CWE-22 path traversal), overwriting arbitrary files - which in a model-load context can lead to code execution. Requires the victim to process the malicious model (UI:R).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the Gecko Security writeup (https://www.gecko.security/blog/cve-2025-51480) and the advisory (GHSA-6rq9-53c3-f7vj): a crafted external_data.location with ../ traversal causes save_external_data to write outside the model directory.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via GitHub Security Advisory GHSA-6rq9-53c3-f7vj + Gecko Security, enriched by NVD. The abused surface is ONNX, the de-facto open model-interchange format used across the ML ecosystem.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is missing path validation in a model-serialization helper - exploited by delivering a crafted model (a model-supply-chain trigger).",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation, and the CVE is not in CISA KEV (verified against the live catalog).",
+    "affected": "ONNX 1.17.0 (onnx.external_data_helper.save_external_data).",
+    "affected_versions": [
+      "ONNX <= 1.17.0"
+    ],
+    "vector": "ONNX's onnx.external_data_helper.save_external_data uses the attacker-controllable external_data 'location' field without canonicalizing or confining it to the model directory, so processing a crafted ONNX model writes external-data tensors to an arbitrary filesystem path (../ traversal or absolute), overwriting arbitrary files (CWE-22) - in a model-load pipeline this can escalate to code execution by overwriting executable or config files.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:R - the victim must load or re-save the crafted model.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to ONNX 1.18.0 or later (fixes in PRs #6959 / #7040); redeploy the environment.",
+    "vendor_update_paths": [
+      "Upgrade ONNX to 1.18.0 or later. Canonicalize and confine the external_data 'location' to the model directory before writing; reject absolute paths and ../ traversal. Treat third-party ONNX models as untrusted input and load them in a sandbox."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "No input validation is applied to the external_data location before the model serializer writes to it (CWE-22).",
+      "NIST-800-53-SR-3": "Supply-chain controls do not treat a third-party ONNX model as untrusted input whose serialized paths can escape the model directory.",
+      "ISO-27001-2022-A.8.28": "Secure coding does not require canonicalization + confinement of model-supplied file paths in the serialization helper.",
+      "NIS2-Art21-network-security": "Article 21 measures do not model an ML model-interchange library as a path-traversal / supply-chain surface.",
+      "DORA-Art-9": "ICT protection measures do not model arbitrary file overwrite via a crafted ML model as an ICT-risk event.",
+      "UK-CAF-B4": "System security objective has no objective for path canonicalization in ML model-serialization libraries.",
+      "AU-ISM-1546": "Patch-application control does not single out ML model-format libraries.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML model file's embedded paths as an integrity boundary requiring canonicalization on load/save."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 23,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 18,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate-high (RWEP 23, \"patch within 30 days\" band per lib/scoring.js). Not KEV (verified), no confirmed in-the-wild exploitation, patched at 1.18.0 (Hard Rule #3): poc_available=20 + blast_radius=18 (arbitrary file overwrite via a crafted model in the ubiquitous ONNX interchange format - broad reach, but gated on the victim processing the malicious model, UI:R), minus patch_available 15.",
+    "epss_score": 0.00366,
+    "epss_date": "2026-05-26",
+    "epss_note": "FIRST EPSS 0.00366 (59th percentile) as of 2026-05-26.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-51480",
+    "cwe_refs": [
+      "CWE-22"
+    ],
+    "iocs": {
+      "behavioral": [
+        "ONNX models whose external_data 'location' field contains ../ traversal sequences or absolute filesystem paths.",
+        "Files written outside the intended model directory during onnx load/save (save_external_data) of a third-party model.",
+        "ONNX <= 1.17.0 processing untrusted third-party models - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to GHSA-6rq9-53c3-f7vj, the Gecko Security writeup, and NVD CVE-2025-51480 (CWE-22)."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-51480",
+      "https://github.com/advisories/GHSA-6rq9-53c3-f7vj"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Advisory Database",
+        "advisory_id": "GHSA-6rq9-53c3-f7vj",
+        "url": "https://github.com/advisories/GHSA-6rq9-53c3-f7vj",
+        "severity": "high",
+        "published_date": "2025-07-22"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-51480",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51480",
+        "severity": "high",
+        "published_date": "2025-07-22"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from NVD CVE-2025-51480 (CWE-22) + GitHub Security Advisory GHSA-6rq9-53c3-f7vj + the Gecko Security writeup. ONNX model-interchange-format path traversal (arbitrary file overwrite on model load/save); reuses the AI-runtime-API path-traversal validation control NEW-CTRL-094 (shared with the AnythingLLM upload traversal and Chainlit element file read).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "ONNX save_external_data does not validate the external_data location, so a crafted model overwrites arbitrary files via path traversal on load/save (CWE-22); fixed in 1.18.0."
   }
 }

package/data/cwe-catalog.json

@@ -114,7 +114,8 @@
       "CVE-2025-8110",
       "CVE-2026-25592",
       "CVE-2026-34926",
-      "CVE-2026-22218"
+      "CVE-2026-22218",
+      "CVE-2025-51480"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-AC-3",
@@ -1373,7 +1374,8 @@
       "CVE-2025-8747",
       "CVE-2026-20131",
       "CVE-2026-20963",
-      "CVE-2026-31229"
+      "CVE-2026-31229",
+      "CVE-2025-68665"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SI-10",

package/data/framework-control-gaps.json

@@ -120,7 +120,8 @@
       "CVE-2024-12450",
       "CVE-2025-69286",
       "CVE-2026-22218",
-      "CVE-2026-22219"
+      "CVE-2026-22219",
+      "CVE-2025-51480"
     ],
     "atlas_refs": [
       "AML.T0018",
@@ -1315,7 +1316,8 @@
       "CVE-2026-31229",
       "CVE-2026-31230",
       "CVE-2026-33017",
-      "CVE-2026-22218"
+      "CVE-2026-22218",
+      "CVE-2025-51480"
     ],
     "atlas_refs": [
       "AML.T0051",
@@ -2433,7 +2435,8 @@
       "CVE-2026-9082",
       "CVE-2024-12450",
       "CVE-2026-22218",
-      "CVE-2026-22219"
+      "CVE-2026-22219",
+      "CVE-2025-51480"
     ],
     "atlas_refs": [
       "AML.T0053"
@@ -2923,7 +2926,8 @@
       "CVE-2024-3094",
       "CVE-2024-37052",
       "CVE-2024-37060",
-      "MAL-2026-SHAI-HULUD-OSS"
+      "MAL-2026-SHAI-HULUD-OSS",
+      "CVE-2025-51480"
     ],
     "atlas_refs": [
       "AML.T0010"
@@ -5217,7 +5221,8 @@
       "CVE-2024-12450",
       "CVE-2025-69286",
       "CVE-2026-22218",
-      "CVE-2026-22219"
+      "CVE-2026-22219",
+      "CVE-2025-51480"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -5812,7 +5817,8 @@
       "MAL-2026-SHAI-HULUD-OSS",
       "CVE-2024-12450",
       "CVE-2026-22218",
-      "CVE-2026-22219"
+      "CVE-2026-22219",
+      "CVE-2025-51480"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -5939,7 +5945,8 @@
       "CVE-2024-12450",
       "CVE-2025-69286",
       "CVE-2026-22218",
-      "CVE-2026-22219"
+      "CVE-2026-22219",
+      "CVE-2025-51480"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -6284,7 +6291,8 @@
       "CVE-2023-43472",
       "CVE-2025-55319",
       "CVE-2025-68664",
-      "CVE-2026-30623"
+      "CVE-2026-30623",
+      "CVE-2025-68665"
     ],
     "atlas_refs": [
       "AML.T0010",
@@ -6363,7 +6371,8 @@
       "CVE-2026-20182",
       "CVE-2024-12450",
       "CVE-2026-22218",
-      "CVE-2026-22219"
+      "CVE-2026-22219",
+      "CVE-2025-51480"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -6591,7 +6600,8 @@
       "CVE-2025-68664",
       "CVE-2025-6965",
       "CVE-2026-22778",
-      "MAL-2025-AI-FOUND-FFMPEG-BIGSLEEP"
+      "MAL-2025-AI-FOUND-FFMPEG-BIGSLEEP",
+      "CVE-2025-68665"
     ],
     "theater_test": {
       "claim": "We are compliant with Art-15 (Accuracy, robustness, and cybersecurity of high-risk AI systems) because we follow the documented requirement: Article 15 — high-risk AI systems must be designed and developed so as to achieve an appropriate level of accuracy, robustness, and cybersecurity throughout their lifecycle. Anchored on the assumption",
@@ -7082,7 +7092,8 @@
     "evidence_cves": [
       "CVE-2025-10725",
       "CVE-2025-55319",
-      "CVE-2025-68664"
+      "CVE-2025-68664",
+      "CVE-2025-68665"
     ],
     "theater_test": {
       "claim": "We are compliant with Annex A.6.2.5 (AI system lifecycle — verification and validation) because we follow the documented requirement: Annex A.6.2.5 — verification and validation across the AI system lifecycle, ensuring intended behaviour is preserved across design, training, deployment, and operations. Anchored on lifecycle-stage ga",
@@ -7111,7 +7122,8 @@
     "opened_at": "2026-05-18",
     "evidence_cves": [
       "CVE-2025-55319",
-      "CVE-2025-68664"
+      "CVE-2025-68664",
+      "CVE-2025-68665"
     ],
     "theater_test": {
       "claim": "We are compliant with LLM01 (Prompt Injection (2023 edition)) because we follow the documented requirement: LLM01:2023 — preventing prompt injection where user-controlled input or third-party content overrides the developer's instructions to the LLM. Anchored on input-sanitisation, prompt-template hardening",
@@ -7139,7 +7151,8 @@
     "status": "open",
     "opened_at": "2026-05-18",
     "evidence_cves": [
-      "CVE-2025-68664"
+      "CVE-2025-68664",
+      "CVE-2025-68665"
     ],
     "theater_test": {
       "claim": "We are compliant with LLM02 (Insecure Output Handling (2023 edition)) because we follow the documented requirement: LLM02:2023 — preventing downstream systems from blindly trusting LLM output where it can produce XSS, SSRF, privilege escalation, or remote code execution. Anchored on treating LLM output as untrusted",

package/data/zeroday-lessons.json

@@ -17236,5 +17236,115 @@
     ],
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-68665": {
+    "name": "LangChain JS toJSON() 'lc'-Key Serialization Injection",
+    "lesson_date": "2026-05-26",
+    "attack_vector": {
+      "description": "LangChain JS's toJSON() did not escape free-form data carrying the internal 'lc' marker key, so attacker-controlled data is rehydrated as a legitimate framework object on deserialization.",
+      "privileges_required": "none (untrusted serialized input)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is LangChain JS, an LLM-application framework. The lesson: LLM frameworks must treat (de)serialization of untrusted free-form data as a trust boundary and refuse to rehydrate framework-internal object markers from user-derived fields."
+    },
+    "framework_coverage": {
+      "NIST-AI-RMF-MEASURE-2.7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Serialization round-trip of untrusted data through a framework marker is not in the AI-risk taxonomy."
+      },
+      "OWASP-LLM-Top-10-LLM02": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Insecure output handling — rehydrating attacker data as a framework object."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an LLM framework's (de)serialization of untrusted data as an integrity trust zone."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 81,
+      "basis": "LLM frameworks serialize free-form data through internal markers; trust-zone separation on (de)serialization is rarely audited.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-064",
+        "name": "LLM-OUTPUT-DESERIALIZATION-TRUST-ZONE",
+        "description": "LLM responses and untrusted free-form data must cross a serialisation trust boundary; frameworks must refuse to rehydrate framework-internal object markers (e.g. LangChain's 'lc' key) from user-derived fields.",
+        "evidence": "CVE-2025-68665 — LangChain JS toJSON()/JSON.stringify did not escape the 'lc' marker in attacker-controlled free-form data.",
+        "gap_closes": [
+          "NIST-AI-RMF-MEASURE-2.7",
+          "EU-AI-Act-Art15",
+          "ISO-IEC-42001-AIMS-A.6.2.5",
+          "OWASP-LLM-Top-10-LLM02"
+        ]
+      },
+      {
+        "id": "NEW-CTRL-005",
+        "name": "AI-TOOL-INPUT-SANITIZATION",
+        "description": "External-source content reaching the LLM / framework serializer must be treated as adversarial; pairs with NEW-CTRL-064 on the output side.",
+        "evidence": "CVE-2025-68665 — untrusted free-form data is the trigger; the (de)serialization trust zone is the closure.",
+        "gap_closes": [
+          "OWASP-LLM-Top-10-LLM01"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-51480": {
+    "name": "ONNX save_external_data Path Traversal Arbitrary File Overwrite",
+    "lesson_date": "2026-05-26",
+    "attack_vector": {
+      "description": "ONNX's save_external_data writes external-data tensors to the attacker-controllable external_data 'location' without confining it to the model directory, so a crafted model overwrites arbitrary files on load/save.",
+      "privileges_required": "none, but requires the victim to process the malicious model (UI:R)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is ONNX, the de-facto ML model-interchange format. The lesson: a model file's embedded paths are untrusted input - model-serialization libraries must canonicalize and confine any file path a model supplies before touching the filesystem, and third-party models must be loaded as untrusted."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation is applied to the model-supplied external_data location before write."
+      },
+      "NIST-800-53-SR-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Supply-chain controls do not treat a third-party model's embedded paths as untrusted."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML model file's embedded paths as an integrity boundary requiring canonicalization."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "ML pipelines load third-party ONNX models on trusted-input assumptions; model-embedded file paths are rarely canonicalized before write.",
+      "theater_pattern": "ai_model_supply_chain_path_traversal"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-094",
+        "name": "AI-RUNTIME-API-PATH-TRAVERSAL-VALIDATION",
+        "description": "An AI application or model library's file/path-bearing inputs (upload filenames, model digests, model-embedded external-data locations, element/document paths, API route parameters) must be canonicalized and confined to an allowlisted base directory before any filesystem read or write - including non-ASCII / encoding transforms - and third-party models must be loaded as untrusted. The distinguishing test: process a model/file reference whose path decodes to ../ traversal or an absolute path on a staging instance and confirm it is rejected, not read or written outside the intended directory.",
+        "evidence": "https://github.com/advisories/GHSA-6rq9-53c3-f7vj",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
   }
 }