@blamejs/exceptd-skills 0.13.121 → 0.13.123

package/data/framework-control-gaps.json

@@ -121,7 +121,11 @@
       "CVE-2025-69286",
       "CVE-2026-22218",
       "CVE-2026-22219",
-      "CVE-2025-51480"
+      "CVE-2025-51480",
+      "CVE-2025-10164",
+      "CVE-2026-5760",
+      "CVE-2026-21858",
+      "CVE-2025-68668"
     ],
     "atlas_refs": [
       "AML.T0018",
@@ -1317,7 +1321,11 @@
       "CVE-2026-31230",
       "CVE-2026-33017",
       "CVE-2026-22218",
-      "CVE-2025-51480"
+      "CVE-2025-51480",
+      "CVE-2025-10164",
+      "CVE-2026-5760",
+      "CVE-2026-21858",
+      "CVE-2025-68668"
     ],
     "atlas_refs": [
       "AML.T0051",
@@ -2266,7 +2274,8 @@
     "evidence_cves": [
       "CVE-2024-21626",
       "CVE-2025-22224",
-      "CVE-2025-22225"
+      "CVE-2025-22225",
+      "CVE-2025-68668"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -2318,7 +2327,8 @@
       "CVE-2026-34159",
       "CVE-2026-42897",
       "CVE-2024-12450",
-      "CVE-2026-22219"
+      "CVE-2026-22219",
+      "CVE-2026-5760"
     ],
     "atlas_refs": [
       "AML.T0096",
@@ -2436,7 +2446,10 @@
       "CVE-2024-12450",
       "CVE-2026-22218",
       "CVE-2026-22219",
-      "CVE-2025-51480"
+      "CVE-2025-51480",
+      "CVE-2025-10164",
+      "CVE-2026-5760",
+      "CVE-2026-21858"
     ],
     "atlas_refs": [
       "AML.T0053"
@@ -2843,7 +2856,8 @@
       "CVE-2026-46333",
       "CVE-2026-5281",
       "CVE-2026-6973",
-      "CVE-2026-9082"
+      "CVE-2026-9082",
+      "CVE-2025-10164"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -2888,7 +2902,8 @@
       "CVE-2026-22778",
       "CVE-2026-32202",
       "CVE-2026-33017",
-      "CVE-2026-33825"
+      "CVE-2026-33825",
+      "CVE-2025-68668"
     ],
     "atlas_refs": [
       "AML.T0017"
@@ -2927,7 +2942,9 @@
       "CVE-2024-37052",
       "CVE-2024-37060",
       "MAL-2026-SHAI-HULUD-OSS",
-      "CVE-2025-51480"
+      "CVE-2025-51480",
+      "CVE-2025-10164",
+      "CVE-2026-5760"
     ],
     "atlas_refs": [
       "AML.T0010"
@@ -5222,7 +5239,11 @@
       "CVE-2025-69286",
       "CVE-2026-22218",
       "CVE-2026-22219",
-      "CVE-2025-51480"
+      "CVE-2025-51480",
+      "CVE-2025-10164",
+      "CVE-2026-5760",
+      "CVE-2026-21858",
+      "CVE-2025-68668"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -5274,7 +5295,9 @@
       "CVE-2026-7482",
       "CVE-2025-69286",
       "CVE-2026-22218",
-      "CVE-2026-22219"
+      "CVE-2026-22219",
+      "CVE-2026-21858",
+      "CVE-2025-68668"
     ],
     "atlas_refs": [
       "AML.T0051"
@@ -5818,7 +5841,11 @@
       "CVE-2024-12450",
       "CVE-2026-22218",
       "CVE-2026-22219",
-      "CVE-2025-51480"
+      "CVE-2025-51480",
+      "CVE-2025-10164",
+      "CVE-2026-5760",
+      "CVE-2026-21858",
+      "CVE-2025-68668"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -5946,7 +5973,11 @@
       "CVE-2025-69286",
       "CVE-2026-22218",
       "CVE-2026-22219",
-      "CVE-2025-51480"
+      "CVE-2025-51480",
+      "CVE-2025-10164",
+      "CVE-2026-5760",
+      "CVE-2026-21858",
+      "CVE-2025-68668"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -6372,7 +6403,11 @@
       "CVE-2024-12450",
       "CVE-2026-22218",
       "CVE-2026-22219",
-      "CVE-2025-51480"
+      "CVE-2025-51480",
+      "CVE-2025-10164",
+      "CVE-2026-5760",
+      "CVE-2026-21858",
+      "CVE-2025-68668"
     ],
     "atlas_refs": [],
     "attack_refs": [

package/data/zeroday-lessons.json

@@ -17346,5 +17346,205 @@
     ],
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-10164": {
+    "name": "SGLang update_weights_from_tensor Unsafe Deserialization RCE",
+    "lesson_date": "2026-05-26",
+    "attack_vector": {
+      "description": "SGLang's update_weights_from_tensor deserializes attacker-controllable serialized-object tensor data, so a deployment exposing the weight-update path to untrusted input executes arbitrary code.",
+      "privileges_required": "none where the weight-update path accepts untrusted input",
+      "complexity": "low",
+      "ai_factor": "The abused surface is SGLang, an LLM serving framework. The lesson: model-weight tensors fed to a serving framework are untrusted code - never deserialize untrusted serialized objects; use a safe tensor format and restrict the weight-update path."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation is applied to the serialized-object tensor data before deserialization."
+      },
+      "NIST-800-53-SR-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Supply-chain controls do not treat model-weight tensors as untrusted code."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats a serving framework's weight-update input as an integrity boundary requiring a safe (non-deserializing) format."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "LLM serving frameworks accept model weights over internal paths on trusted assumptions; unsafe object deserialization persists.",
+      "theater_pattern": "ai_serving_unsafe_deserialization"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts and model-weight tensors as untrusted code: never deserialize / load serialized-object artifacts from untrusted sources, prefer safe formats (e.g. safetensors), verify provenance, and restrict weight-update / model-load paths to trusted callers in a sandboxed, least-privilege environment. The distinguishing test: send a crafted serialized-object payload to the weight-update path on a sandboxed instance and confirm no code executes.",
+        "evidence": "https://github.com/advisories/GHSA-9w53-xr52-mwgj",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-5760": {
+    "name": "SGLang /v1/rerank Malicious-Model Jinja2 Template-Injection RCE",
+    "lesson_date": "2026-05-26",
+    "attack_vector": {
+      "description": "SGLang renders a model-supplied tokenizer.chat_template with a non-sandboxed jinja2.Environment at the /v1/rerank endpoint, so a malicious model's template expression executes arbitrary code.",
+      "privileges_required": "none (unauthenticated rerank request loading a malicious model)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is SGLang, an LLM serving framework. The lesson: a model-supplied chat template is untrusted code - render it only in a sandboxed jinja2 environment (ImmutableSandboxedEnvironment), never the default Environment."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No sandboxing is applied to the model-supplied chat template before rendering."
+      },
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Boundary protection does not isolate the template-rendering path an unauthenticated request reaches."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats a model-supplied chat template as untrusted code requiring a sandboxed renderer."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "LLM serving frameworks render model-supplied chat templates with default (non-sandboxed) jinja2; template-injection via malicious models is rarely audited.",
+      "theater_pattern": "ai_model_template_injection"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-110",
+        "name": "AI-MODEL-TEMPLATE-RENDERING-SANDBOX",
+        "description": "An LLM serving framework that renders model-supplied templates (jinja2 chat_template, prompt templates, tokenizer config) must render them in a sandboxed environment - jinja2's ImmutableSandboxedEnvironment, never the default jinja2.Environment() - and treat third-party model files (incl. GGUF) as untrusted. The distinguishing test: load a model whose chat_template embeds a Jinja2 expression that reaches builtins/os on a staging instance and confirm rendering is refused, not executed - a framework that renders model templates with the default environment is exploitable for server-side template-injection RCE.",
+        "evidence": "https://kb.cert.org/vuls/id/915947",
+        "gap_closes": [
+          "NIST-800-53-SI-10",
+          "NIST-800-53-SC-7",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-21858": {
+    "name": "n8n Form-Based Unauthenticated Arbitrary File Access",
+    "lesson_date": "2026-05-26",
+    "attack_vector": {
+      "description": "n8n exposes form-based actions that reach a server file-access path without authentication or path confinement, so an unauthenticated attacker reads arbitrary server files.",
+      "privileges_required": "none (unauthenticated)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is n8n, an AI-workflow / automation platform. The lesson: every form/automation action that can reach the filesystem must be authenticated and its path confined - workflow platforms are high-value because their workflows hold credentials."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation confines the file path reached by the form-based action."
+      },
+      "NIST-800-53-AC-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Access enforcement does not require authentication on a path that reaches server files."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats a workflow platform's form-action file path as an integrity boundary requiring auth + confinement."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 79,
+      "basis": "Workflow-automation platforms expose form/automation actions on trusted-network assumptions; path confinement + auth on file-reaching actions are rarely audited.",
+      "theater_pattern": "ai_workflow_unauth_file_access"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-094",
+        "name": "AI-RUNTIME-API-PATH-TRAVERSAL-VALIDATION",
+        "description": "An AI application or workflow platform's file/path-bearing inputs (upload filenames, model-embedded paths, element/document paths, form-action paths, API route parameters) must be authenticated, canonicalized, and confined to an allowlisted base directory before any filesystem access - including non-ASCII / encoding transforms. The distinguishing test: send an unauthenticated request whose path decodes to ../ traversal or an absolute path on a staging instance and confirm it is refused, not read or written outside the intended directory.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2026-21858",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-68668": {
+    "name": "n8n Python Code Node Pyodide Sandbox Bypass RCE",
+    "lesson_date": "2026-05-26",
+    "attack_vector": {
+      "description": "n8n's Python Code Node runs user code in a Pyodide sandbox that is bypassable, so an authenticated workflow editor escapes it and executes code with host privileges.",
+      "privileges_required": "low (authenticated user who can edit workflows)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is n8n's code node, in an AI-workflow / automation builder. The lesson: a visual builder's code node is a code-execution sink - it must run in a non-bypassable, host-isolated sandbox, and workflow-edit permission must be tightly scoped."
+    },
+    "framework_coverage": {
+      "NIST-800-53-AC-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Access enforcement does not contain the code node to its sandbox."
+      },
+      "NIST-800-53-SI-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Malicious-code protection does not stop a sandbox bypass in the code node."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats a workflow builder's code node as a code-execution sink requiring a non-bypassable sandbox."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 81,
+      "basis": "Visual workflow builders ship code nodes with in-process sandboxes (Pyodide/vm) that are bypassable; sandbox non-bypassability is rarely audited.",
+      "theater_pattern": "ai_app_builder_code_node_sandbox_escape"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-103",
+        "name": "AI-APP-BUILDER-EXECUTION-ENDPOINT-AUTH-AND-SANDBOX",
+        "description": "A visual LLM app/agent/workflow builder (Langflow, Flowise, Dify, n8n, and similar) must authenticate every endpoint that can reach a code-execution path and must never run flow/workflow-supplied code through a dynamic-evaluation path with host privileges. Sandbox any code the platform executes on a user's behalf in a non-bypassable, host-isolated environment (no filesystem/network/process access beyond intent), and scope workflow-edit permission tightly. The distinguishing test: run a code node that attempts a host action (shell/network/filesystem) on a staging instance and confirm the sandbox refuses it - an in-process sandbox (Pyodide/vm) that is bypassable still permits RCE.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2025-68668",
+        "gap_closes": [
+          "NIST-800-53-AC-3",
+          "NIST-800-53-SI-3",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
   }
 }