@blamejs/exceptd-skills 0.13.65 → 0.13.67

package/data/cve-catalog.json

@@ -9351,6 +9351,130 @@
     "_intake_method": "v0.13.17-bulk-cisa-kev-import",
     "_kev_short_description": "Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication."
   },
+  "CVE-2025-34291": {
+    "name": "Langflow Account Takeover + RCE (CORS / refresh-token chain)",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 8.8 (HIGH). Vendor / CrowdSec report CVSS v4.0 9.4. PR:L reflects that the code-validation endpoint is authenticated by design; the chain defeats that boundary with stolen tokens, so the effective precondition is only that a logged-in user visits an attacker-controlled page.",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-05-21",
+    "cisa_kev_due_date": "2026-06-04",
+    "cisa_kev_due_date_note": "CISA KEV remediation deadline — 14 days from the 2026-05-21 listing; verified against the live CISA KEV catalog.",
+    "poc_available": true,
+    "poc_description": "Obsidian Security published a full technical writeup (2025-12-05): overly-permissive CORS (credentialed cross-origin requests from any origin) plus a token-refresh endpoint lacking CSRF protection and issuing SameSite=None cookies lets a malicious page a logged-in victim visits capture a valid token pair, which then reaches the by-design code-validation endpoint for RCE. CrowdSec reports in-the-wild exploitation from 2026-01-23.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Discovered and disclosed by Obsidian Security via conventional web-security research (coordinated disclosure; public writeup 2025-12-05). The target is an AI agent/workflow platform, but the discovery method was not AI-assisted.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization reported; the exploit is a conventional CORS + CSRF + token-replay chain against a web API.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "CrowdSec observed in-the-wild exploitation beginning 2026-01-23; CISA added the CVE to the KEV catalog on 2026-05-21 (CISA's confirmed-exploitation attestation).",
+    "affected": "Langflow (open-source AI agent / LLM workflow platform, 140k+ GitHub stars) — versions up to and including 1.6.9.",
+    "affected_versions": [
+      "Langflow <= 1.6.9"
+    ],
+    "vector": "Chained account takeover to remote code execution. Langflow <= 1.6.9 sets an overly-permissive CORS policy allowing credentialed requests from any origin, and its token-refresh endpoint lacks CSRF protection while issuing SameSite=None cookies. A logged-in user who visits an attacker-controlled page therefore leaks a valid access/refresh token pair to the attacker, who replays it against the code-validation endpoint that executes submitted code by design. No standing attacker authentication is required.",
+    "complexity": "low",
+    "complexity_notes": "NVD AC:L. Drive-by: a single visit by an authenticated victim to an attacker page. The default configuration of Langflow <= 1.6.9 is exploitable; the Langflow 1.7 default configuration is protected.",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is a version upgrade (service restart); no live-patch primitive. Langflow 1.7's default configuration is protected. Interim mitigation: restrict CORS to an explicit allow-list and set restrictive SameSite on authentication cookies.",
+    "vendor_update_paths": [
+      "Upgrade to Langflow 1.7 or later (the 1.7 default configuration is protected against this chain).",
+      "Interim mitigation for <= 1.6.9: tighten the CORS allow-origin list to trusted origins only and guard the public code-validation endpoint."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "30-day flaw-remediation SLA is inadequate for a KEV-listed, in-the-wild-exploited RCE. The CISA KEV due date is the operationally-binding clock.",
+      "ISO-27001-2022-A.8.8": "Vulnerability-management clause does not differentiate routinely-disclosed CVEs from actively-exploited KEV-listed ones; KEV listing collapses patch-cycle response to incident-speed response.",
+      "ISO-27001-2022-A.5.7": "Threat-intelligence clause does not require ingesting actively-exploited-AI-tooling advisories (KEV + vendor AI-platform writeups) as a named source; self-hosted AI orchestration platforms are rarely in the asset inventory that threat intel is matched against.",
+      "NIS2-Art21-patch-management": "Article 21 risk-management measures mandate timely patching but set no AI-platform-specific origin-policy / session-boundary control; an essential/important entity running Langflow <= 1.6.9 can be Art-21-conformant on paper yet exposed to this drive-by RCE.",
+      "DORA-Art-9": "ICT protection/prevention measures require access controls but do not reach application-layer CORS origin policy or SameSite cookie posture on self-hosted AI tooling — the exact boundary this chain abuses.",
+      "UK-CAF-B4": "CAF principle B4 (System Security) expects vulnerability remediation but provides no objective for auditing the origin-policy / token-endpoint configuration of code-executing AI-agent platforms.",
+      "AU-ISM-1546": "ISM patch-application control is timeframe-based and product-agnostic; it does not require the CORS allow-list / CSRF posture review that would have closed this chain on Langflow <= 1.6.9.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No major framework treats the AI-orchestration / agent platform itself as an RCE-bearing trust boundary whose compromise grants control of every downstream flow, credential, and model the platform brokers — nor does any audit the application-layer origin policy (CORS) and session-cookie configuration that this chain abuses."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1539",
+      "T1059"
+    ],
+    "rwep_score": 80,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 5
+    },
+    "rwep_notes": "P1. KEV-listed with confirmed in-wild exploitation since 2026-01-23 and a public exploit chain. blast_radius=25: compromising an AI-agent/workflow platform yields code execution plus control of the brokered model/tool/credential surface, and Langflow's 140k-star footprint widens exposure. patch_available -15 (upgrade to 1.7). ai_factor=0 (not AI-discovered or AI-weaponized).",
+    "epss_score": null,
+    "epss_date": "2026-05-24",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-34291",
+    "cwe_refs": [
+      "CWE-346",
+      "CWE-352",
+      "CWE-942"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Credentialed cross-origin requests (Origin / Referer header outside the deployment's trusted set) to the Langflow token-refresh endpoint — the CORS misconfiguration that enables token theft.",
+        "Access/refresh token pair issued to a session whose refresh call carried a foreign Origin (SameSite=None cookie replayed cross-site) — the account-takeover step.",
+        "Calls to the Langflow code-validation / code-execution endpoint from a session whose token was minted via a cross-origin refresh, or immediately following an anomalous cross-origin refresh — the RCE step.",
+        "Spike in CORS preflight (OPTIONS) and 4xx auth traffic to `/api/v1/*` from origins outside the operator allow-list."
+      ],
+      "payload_content_patterns": [
+        "Requests to the code-validation endpoint carrying executable Python payloads submitted outside the normal flow-builder UI workflow (server-side code execution by design)."
+      ],
+      "supply_chain_entry_vectors": [
+        "Delivery is a malicious or attacker-controlled web page visited by a logged-in Langflow operator (watering-hole or phishing link); no Langflow-side compromise is required to initiate — the victim's authenticated browser session is the entry point.",
+        "Internet-exposed Langflow <= 1.6.9 instances running the default CORS configuration are the exploitable population."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the Obsidian Security technical writeup (2025-12-05) and the NVD CVE-2025-34291 mechanism; CrowdSec confirmed in-the-wild exploitation from 2026-01-23. No public packet/payload capture beyond the writeup."
+    },
+    "source_verified": "2026-05-24",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-34291",
+      "https://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+      "https://www.crowdsec.net/vulntracking-report/cve-2025-34291"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": "CVE-2025-34291",
+        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+        "severity": "high",
+        "published_date": "2026-05-21"
+      },
+      {
+        "vendor": "Obsidian Security",
+        "advisory_id": null,
+        "url": "https://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform",
+        "severity": "high",
+        "published_date": "2025-12-05"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-34291",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34291",
+        "severity": "high",
+        "published_date": "2025-12-05"
+      }
+    ],
+    "last_updated": "2026-05-24",
+    "discovery_attribution_note": "Manually curated from NVD + Obsidian Security writeup + CISA KEV (added 2026-05-21) + CrowdSec exploitation telemetry. CWE-346 (Origin Validation / CORS) chained with CWE-352 (CSRF) on the token-refresh endpoint and CWE-942 (permissive cross-domain policy). Postdates the v0.13.17 bulk KEV intake (catalog version 2026.05.15).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Langflow contains an origin validation error vulnerability that could allow account takeover and remote code execution."
+  },
   "CVE-2025-32432": {
     "name": "Craft CMS Code Injection Vulnerability",
     "type": "RCE",

package/data/cwe-catalog.json

@@ -1031,7 +1031,8 @@
       "webapp-security"
     ],
     "evidence_cves": [
-      "CVE-2023-2533"
+      "CVE-2023-2533",
+      "CVE-2025-34291"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SC-23",
@@ -2959,7 +2960,9 @@
       "CWE-2000"
     ],
     "related_weaknesses": [],
-    "evidence_cves": [],
+    "evidence_cves": [
+      "CVE-2025-34291"
+    ],
     "last_verified": "2026-05-19",
     "notes": "Bulk-imported v0.13.18 from the canonical MITRE Top 25 + commonly-referenced-class expansion.",
     "_auto_imported": true,
@@ -3833,7 +3836,9 @@
       "CWE-2000"
     ],
     "related_weaknesses": [],
-    "evidence_cves": [],
+    "evidence_cves": [
+      "CVE-2025-34291"
+    ],
     "last_verified": "2026-05-19",
     "notes": "Bulk-imported v0.13.18 from the canonical MITRE Top 25 + commonly-referenced-class expansion.",
     "_auto_imported": true,

package/data/framework-control-gaps.json

@@ -33,7 +33,9 @@
     "real_requirement": "AI pipeline integrity controls: (1) model version pinning where API supports it, (2) behavioral test suite with regression alerting, (3) provider changelog monitoring, (4) training pipeline SLSA-equivalent supply chain attestation for self-hosted models.",
     "status": "open",
     "opened_date": "2026-01-01",
-    "evidence_cves": [],
+    "evidence_cves": [
+      "CVE-2025-34291"
+    ],
     "atlas_refs": [
       "AML.T0018",
       "AML.T0020"
@@ -1392,6 +1394,7 @@
       "CVE-2025-33053",
       "CVE-2025-33073",
       "CVE-2025-34026",
+      "CVE-2025-34291",
       "CVE-2025-35939",
       "CVE-2025-37164",
       "CVE-2025-38352",
@@ -1706,6 +1709,7 @@
       "CVE-2025-10585",
       "CVE-2025-1094",
       "CVE-2025-14174",
+      "CVE-2025-34291",
       "CVE-2025-38352",
       "CVE-2025-43300",
       "CVE-2026-31431",
@@ -2305,6 +2309,7 @@
       "CVE-2025-33053",
       "CVE-2025-33073",
       "CVE-2025-34026",
+      "CVE-2025-34291",
       "CVE-2025-35939",
       "CVE-2025-37164",
       "CVE-2025-38352",
@@ -4683,6 +4688,7 @@
     "opened_date": "2026-05-15",
     "evidence_cves": [
       "CVE-2024-21762",
+      "CVE-2025-34291",
       "CVE-2026-0300",
       "CVE-2026-20182",
       "CVE-2026-42897",
@@ -5170,6 +5176,7 @@
     "opened_date": "2026-05-17",
     "evidence_cves": [
       "CVE-2024-21762",
+      "CVE-2025-34291",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "MAL-2026-SHAI-HULUD-OSS"
@@ -5204,6 +5211,7 @@
     "opened_date": "2026-05-17",
     "evidence_cves": [
       "CVE-2024-21762",
+      "CVE-2025-34291",
       "CVE-2026-46300",
       "CVE-2026-46333"
     ],
@@ -5236,6 +5244,7 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
+      "CVE-2025-34291",
       "CVE-2026-46300",
       "CVE-2026-46333"
     ],

package/data/rfc-references.json

@@ -1309,14 +1309,14 @@
     "number": null,
     "draft_id": "draft-ietf-tls-hybrid-design",
     "title": "Hybrid key exchange in TLS 1.3",
-    "status": "Draft",
+    "status": "Informational",
     "tracker": "https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/",
     "relevance": "General-purpose hybrid-KEM design that the ecdhe-mlkem draft instantiates. Operators evaluating the migration story should read both.",
-    "lag_notes": "Companion draft. Status synchronized with draft-ietf-tls-ecdhe-mlkem.",
+    "lag_notes": "IESG-approved (draft-16) for publication as an Informational RFC and in the RFC Editor queue as of mid-2026; RFC number not yet assigned. No longer status-synchronized with draft-ietf-tls-ecdhe-mlkem, which remains an active Standards-Track draft.",
     "skills_referencing": [
       "pqc-first"
     ],
-    "last_verified": "2026-05-19",
+    "last_verified": "2026-05-24",
     "abstract": "IETF Internet-Draft (TLS WG) — design rationale and security analysis for hybrid post-quantum + classical TLS 1.3 handshakes. Defines the wire format, key-derivation chain, and downgrade-resistance properties for hybrid key-exchange. Cited by RFC 9763 (ML-KEM in TLS 1.3) + RFC 9764 (ML-DSA in TLS 1.3) as the architectural foundation."
   },
   "ISO-29147": {

package/data/zeroday-lessons.json

@@ -5933,6 +5933,51 @@
     "_auto_imported": true,
     "_intake_method": "v0.13.17-bulk-cisa-kev-import"
   },
+  "CVE-2025-34291": {
+    "name": "Langflow Account Takeover + RCE (CORS / refresh-token chain)",
+    "lesson_date": "2026-05-24",
+    "attack_vector": {
+      "description": "Overly-permissive CORS plus a CSRF-unprotected token-refresh endpoint (SameSite=None cookies) let a malicious page steal a logged-in Langflow user's token pair, which is replayed against the by-design code-validation endpoint for account takeover and remote code execution.",
+      "privileges_required": "none standing for the attacker — requires only that an authenticated victim visits an attacker-controlled page (drive-by)",
+      "complexity": "low (NVD AC:L; the default configuration of Langflow <= 1.6.9 is exploitable)",
+      "ai_factor": "Not AI-discovered (Obsidian Security, conventional web-security research). The AI-security lesson: an AI agent/workflow orchestration platform is itself an RCE-bearing web trust boundary — compromising it grants control over every model, tool, and credential it brokers. Surfaced by the CISA-KEV poller + advisory feeds after the v0.13.17 bulk intake (KEV catalog 2026.05.15) had already run."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "30-day flaw-remediation SLA inadequate for a KEV-listed, in-the-wild-exploited RCE; the CISA KEV due date is the binding clock."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not differentiate routinely-disclosed CVEs from KEV-listed actively-exploited ones. Also: application-layer origin policy (CORS) and session-cookie configuration — the boundary this chain abuses — is rarely audited on self-hosted AI-agent platforms."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Self-hosted AI-platform deployments rarely audit CORS / session-cookie configuration; audit programs check patch SLA and TLS but not application-layer origin policy. Exposure widened by Langflow's 140k-star footprint and the drive-by trigger (victim need only visit a page).",
+      "theater_pattern": "config_drift"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-076",
+        "name": "AI-PLATFORM-ORIGIN-POLICY-AUDIT",
+        "description": "Self-hosted AI agent / LLM workflow platforms that expose a by-design code-execution endpoint (Langflow, Flowise, and similar) must enforce and audit, on every release: an explicit CORS allow-list (no wildcard or credentialed any-origin), CSRF protection on all token/session endpoints, and SameSite=Lax-or-Strict authentication cookies. The platform's session boundary is a remote-code-execution boundary and must be reviewed as one.",
+        "evidence": "https://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2025-32432": {
     "name": "Craft CMS Code Injection Vulnerability",
     "lesson_date": "2026-05-18",