@blamejs/exceptd-skills 0.13.77 → 0.13.78

package/data/attack-techniques.json

@@ -269,13 +269,17 @@
       "DS0017"
     ],
     "cve_refs": [
+      "CVE-2024-50050",
       "CVE-2025-1094",
       "CVE-2025-11837",
+      "CVE-2025-23254",
+      "CVE-2025-30165",
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-53773",
       "CVE-2025-54136",
       "CVE-2025-55319",
+      "CVE-2025-60455",
       "CVE-2025-68664",
       "CVE-2026-22252",
       "CVE-2026-22688",
@@ -827,6 +831,7 @@
       "CVE-2024-21762",
       "CVE-2024-37079",
       "CVE-2024-43468",
+      "CVE-2024-50050",
       "CVE-2024-56145",
       "CVE-2024-57726",
       "CVE-2024-7694",
@@ -857,6 +862,7 @@
       "CVE-2025-2775",
       "CVE-2025-2776",
       "CVE-2025-29635",
+      "CVE-2025-30165",
       "CVE-2025-30397",
       "CVE-2025-31125",
       "CVE-2025-32432",

package/data/cve-catalog.json

@@ -10694,6 +10694,408 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Drupal core's database abstraction layer fails to neutralize special elements in a PostgreSQL query condition handler reachable via JSON:API, allowing unauthenticated SQL injection; actively exploited (CISA KEV 2026-05-22, due 2026-05-27); fixed in SA-CORE-2026-004 releases."
   },
+  "CVE-2025-23254": {
+    "name": "NVIDIA TensorRT-LLM Python Executor Deserialization RCE (ShadowMQ)",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
+    "cvss_note": "NVIDIA/NVD CVSS v3.1 base 8.8 (HIGH, Scope:Changed). Insecure deserialization in the TensorRT-LLM Python executor.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in Oligo Security's ShadowMQ research (code reuse spread an insecure ZeroMQ recv_pyobj deserialization pattern across AI inference engines) and the project advisory: an attacker who reaches the deserialization channel supplies a crafted payload that executes code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Oligo Security (ShadowMQ research). The abused surface is the IPC/socket layer of an AI inference engine; the propagation mechanism is copy-paste code reuse of an insecure deserialization pattern across projects.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; classic CWE-502 insecure deserialization, notable for spreading via code reuse across the AI inference ecosystem.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure (Oligo ShadowMQ); no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "NVIDIA TensorRT-LLM prior to 0.18.2.",
+    "affected_versions": [
+      "NVIDIA TensorRT-LLM < 0.18.2"
+    ],
+    "vector": "NVIDIA TensorRT-LLM's Python executor deserializes untrusted pickle data received over its ZeroMQ socket without validation (CWE-502). An attacker with local access to the TRT-LLM server can supply a crafted payload that executes code, discloses information, or tampers with data.",
+    "complexity": "low",
+    "complexity_notes": "NVD AC:L. Reachability: local (per the CVSS vector).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an application upgrade to 0.18.2 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade NVIDIA TensorRT-LLM to 0.18.2 or later. Restrict local access to the TRT-LLM server and isolate its ZeroMQ socket."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track AI inference engines and their IPC/socket serialization layers as managed, RCE-bearing software, nor account for the same flaw recurring across projects via code reuse.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to data deserialized from an inference engine's internal socket; the unsafe serializer is treated as trusted.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates an AI inference engine's deserialization channel as an injection surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach AI-inference IPC deserialization as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model insecure deserialization in an AI inference engine as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating data deserialized from an inference engine's socket.",
+      "AU-ISM-1546": "Patch-application control does not single out AI inference engines, nor the code-reuse propagation of one flaw across many.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an inference engine's socket serialization as untrusted input requiring a safe serializer; code reuse spread the same CWE-502 across vLLM, TensorRT-LLM, Llama Stack and Modular Max."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1059"
+    ],
+    "rwep_score": 29,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 29, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 (Oligo ShadowMQ technique) + blast_radius=24 minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-23254",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "NVIDIA deserializing data received over a ZeroMQ / IPC socket from an untrusted or unexpected peer.",
+        "Inbound connections to the inference engine's internal serialization socket from outside the trusted node set.",
+        "Python subprocess or interpreter activity spawned during deserialization of socket data.",
+        "Affected version present: NVIDIA TensorRT-LLM < 0.18.2 — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2025-23254 (CWE-502 insecure deserialization) and Oligo Security's ShadowMQ research (https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem) describing the recv_pyobj code-reuse pattern."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-23254",
+      "https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "NVIDIA Product Security",
+        "advisory_id": "NVIDIA-5648",
+        "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5648",
+        "severity": "high",
+        "published_date": "2025-05-01"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-23254",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23254",
+        "severity": "high",
+        "published_date": "2025-05-01"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-502; NIST CVSS 8.8) + Oligo Security's ShadowMQ research. Member of the ShadowMQ code-reuse family (insecure deserialization over ZeroMQ propagated across AI inference engines).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "NVIDIA TensorRT-LLM's Python executor deserializes untrusted data over its ZeroMQ socket, letting a local attacker execute code; part of the ShadowMQ code-reuse family; fixed in 0.18.2."
+  },
+  "CVE-2025-30165": {
+    "name": "vLLM V0 Engine ZeroMQ Deserialization RCE (ShadowMQ)",
+    "type": "RCE",
+    "cvss_score": 8,
+    "cvss_vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 8.0 (HIGH, AV:Adjacent). Unsafe deserialization over ZeroMQ in multi-node V0-engine deployments.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in Oligo Security's ShadowMQ research (code reuse spread an insecure ZeroMQ recv_pyobj deserialization pattern across AI inference engines) and the project advisory: an attacker who reaches the deserialization channel supplies a crafted payload that executes code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Oligo Security (ShadowMQ research). The abused surface is the IPC/socket layer of an AI inference engine; the propagation mechanism is copy-paste code reuse of an insecure deserialization pattern across projects.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; classic CWE-502 insecure deserialization, notable for spreading via code reuse across the AI inference ecosystem.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure (Oligo ShadowMQ); no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "vLLM 0.5.2 and later when the legacy V0 engine is used in multi-node deployments. The maintainers did not ship a code patch; the V0 engine is off by default since 0.8.0, which is the recommended mitigation.",
+    "affected_versions": [
+      "vLLM >= 0.5.2 (V0 engine, multi-node)"
+    ],
+    "vector": "vLLM's legacy V0 engine deserializes untrusted pickle data received over a ZeroMQ socket in multi-node deployments (CWE-502). An adjacent-network attacker who can reach the socket executes arbitrary code on the vLLM worker.",
+    "complexity": "low",
+    "complexity_notes": "NVD AC:L. Reachability: adjacent (per the CVSS vector).",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No code patch shipped; mitigate via the project's recommended configuration (see vendor_update_paths) and network isolation of the deserialization channel.",
+    "vendor_update_paths": [
+      "Do not enable the legacy V0 engine; it is off by default since vLLM 0.8.0 and that default is the recommended mitigation. If V0 multi-node is required, isolate the ZeroMQ socket on a trusted network segment."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track AI inference engines and their IPC/socket serialization layers as managed, RCE-bearing software, nor account for the same flaw recurring across projects via code reuse.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to data deserialized from an inference engine's internal socket; the unsafe serializer is treated as trusted.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates an AI inference engine's deserialization channel as an injection surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach AI-inference IPC deserialization as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model insecure deserialization in an AI inference engine as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating data deserialized from an inference engine's socket.",
+      "AU-ISM-1546": "Patch-application control does not single out AI inference engines, nor the code-reuse propagation of one flaw across many.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an inference engine's socket serialization as untrusted input requiring a safe serializer; code reuse spread the same CWE-502 across vLLM, TensorRT-LLM, Llama Stack and Modular Max."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 46,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 46, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, no code patch shipped. poc_available=20 (Oligo ShadowMQ technique) + blast_radius=26.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-30165",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "vLLM deserializing data received over a ZeroMQ / IPC socket from an untrusted or unexpected peer.",
+        "Inbound connections to the inference engine's internal serialization socket from outside the trusted node set.",
+        "Python subprocess or interpreter activity spawned during deserialization of socket data.",
+        "Affected version present: vLLM >= 0.5.2 (V0 engine, multi-node) — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2025-30165 (CWE-502 insecure deserialization) and Oligo Security's ShadowMQ research (https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem) describing the recv_pyobj code-reuse pattern."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-30165",
+      "https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-30165",
+        "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-9pcc-gvx5-r5wm",
+        "severity": "high",
+        "published_date": "2025-05-06"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-30165",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30165",
+        "severity": "high",
+        "published_date": "2025-05-06"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-502; NIST CVSS 8) + Oligo Security's ShadowMQ research. Member of the ShadowMQ code-reuse family (insecure deserialization over ZeroMQ propagated across AI inference engines).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "vLLM's legacy V0 engine deserializes untrusted data over ZeroMQ in multi-node deployments, allowing adjacent-network RCE; no code patch shipped — the V0 engine is off by default since 0.8.0; part of the ShadowMQ code-reuse family."
+  },
+  "CVE-2024-50050": {
+    "name": "Meta Llama Stack Socket Deserialization RCE (ShadowMQ)",
+    "type": "RCE",
+    "cvss_score": 6.3,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
+    "cvss_note": "NVD CISA-ADP CVSS v3.1 base 6.3 (MEDIUM); Oligo and Snyk originally scored the same flaw 9.3 (CRITICAL) — a documented CVSS dispute. The serialization format was replaced with JSON in the fix.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in Oligo Security's ShadowMQ research (code reuse spread an insecure ZeroMQ recv_pyobj deserialization pattern across AI inference engines) and the project advisory: an attacker who reaches the deserialization channel supplies a crafted payload that executes code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Oligo Security (ShadowMQ research). The abused surface is the IPC/socket layer of an AI inference engine; the propagation mechanism is copy-paste code reuse of an insecure deserialization pattern across projects.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; classic CWE-502 insecure deserialization, notable for spreading via code reuse across the AI inference ecosystem.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure (Oligo ShadowMQ); no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Meta Llama Stack prior to the JSON-migration revision 7a8aa775e5a267cf8660d83140011a0b7f91e005 (released as 0.0.41).",
+    "affected_versions": [
+      "Meta Llama Stack < 0.0.41"
+    ],
+    "vector": "Meta Llama Stack used pickle as the serialization format for socket communication and deserialized untrusted data without validation (CWE-502), allowing a network attacker who reaches the socket to execute code. The fix replaced the unsafe format with JSON.",
+    "complexity": "low",
+    "complexity_notes": "NVD AC:L. Reachability: network (per the CVSS vector).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an application upgrade to 0.0.41 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Meta Llama Stack to 0.0.41 or later (serialization migrated to JSON). Isolate the inference socket on a trusted network segment."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track AI inference engines and their IPC/socket serialization layers as managed, RCE-bearing software, nor account for the same flaw recurring across projects via code reuse.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to data deserialized from an inference engine's internal socket; the unsafe serializer is treated as trusted.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates an AI inference engine's deserialization channel as an injection surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach AI-inference IPC deserialization as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model insecure deserialization in an AI inference engine as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating data deserialized from an inference engine's socket.",
+      "AU-ISM-1546": "Patch-application control does not single out AI inference engines, nor the code-reuse propagation of one flaw across many.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an inference engine's socket serialization as untrusted input requiring a safe serializer; code reuse spread the same CWE-502 across vLLM, TensorRT-LLM, Llama Stack and Modular Max."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 27,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 22,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 27, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 (Oligo ShadowMQ technique) + blast_radius=22 minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-50050",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Meta deserializing data received over a ZeroMQ / IPC socket from an untrusted or unexpected peer.",
+        "Inbound connections to the inference engine's internal serialization socket from outside the trusted node set.",
+        "Python subprocess or interpreter activity spawned during deserialization of socket data.",
+        "Affected version present: Meta Llama Stack < 0.0.41 — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2024-50050 (CWE-502 insecure deserialization) and Oligo Security's ShadowMQ research (https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem) describing the recv_pyobj code-reuse pattern."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-50050",
+      "https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-50050",
+        "url": "https://github.com/meta-llama/llama-stack/security/advisories",
+        "severity": "medium",
+        "published_date": "2024-10-23"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-50050",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50050",
+        "severity": "medium",
+        "published_date": "2024-10-23"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-502; NIST CVSS 6.3) + Oligo Security's ShadowMQ research. Member of the ShadowMQ code-reuse family (insecure deserialization over ZeroMQ propagated across AI inference engines).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Meta Llama Stack used an unsafe socket serialization format and deserialized untrusted data, allowing network RCE; fixed by migrating to JSON in 0.0.41; the seed of the ShadowMQ code-reuse family."
+  },
+  "CVE-2025-60455": {
+    "name": "Modular Max Server KVCache-Agent Deserialization RCE (ShadowMQ)",
+    "type": "RCE",
+    "cvss_score": 8.4,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 8.4 (HIGH). Unsafe deserialization reachable when --experimental-enable-kvcache-agent is enabled.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in Oligo Security's ShadowMQ research (code reuse spread an insecure ZeroMQ recv_pyobj deserialization pattern across AI inference engines) and the project advisory: an attacker who reaches the deserialization channel supplies a crafted payload that executes code.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Oligo Security (ShadowMQ research). The abused surface is the IPC/socket layer of an AI inference engine; the propagation mechanism is copy-paste code reuse of an insecure deserialization pattern across projects.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; classic CWE-502 insecure deserialization, notable for spreading via code reuse across the AI inference ecosystem.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure (Oligo ShadowMQ); no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Modular Max Server before 25.6.0 when the --experimental-enable-kvcache-agent feature is enabled.",
+    "affected_versions": [
+      "Modular Max Server < 25.6.0 (kvcache-agent enabled)"
+    ],
+    "vector": "Modular Max Server deserializes untrusted pickle data over its inter-process channel when the experimental KVCache agent is enabled (CWE-502), allowing arbitrary code execution on the server.",
+    "complexity": "low",
+    "complexity_notes": "NVD AC:L. Reachability: local (per the CVSS vector).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an application upgrade to 25.6.0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Modular Max Server to 25.6.0 or later. Until then, do not run with --experimental-enable-kvcache-agent."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track AI inference engines and their IPC/socket serialization layers as managed, RCE-bearing software, nor account for the same flaw recurring across projects via code reuse.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to data deserialized from an inference engine's internal socket; the unsafe serializer is treated as trusted.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates an AI inference engine's deserialization channel as an injection surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach AI-inference IPC deserialization as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model insecure deserialization in an AI inference engine as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating data deserialized from an inference engine's socket.",
+      "AU-ISM-1546": "Patch-application control does not single out AI inference engines, nor the code-reuse propagation of one flaw across many.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an inference engine's socket serialization as untrusted input requiring a safe serializer; code reuse spread the same CWE-502 across vLLM, TensorRT-LLM, Llama Stack and Modular Max."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1059"
+    ],
+    "rwep_score": 23,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 18,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 23, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 (Oligo ShadowMQ technique) + blast_radius=18 minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-60455",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Modular deserializing data received over a ZeroMQ / IPC socket from an untrusted or unexpected peer.",
+        "Inbound connections to the inference engine's internal serialization socket from outside the trusted node set.",
+        "Python subprocess or interpreter activity spawned during deserialization of socket data.",
+        "Affected version present: Modular Max Server < 25.6.0 (kvcache-agent enabled) — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2025-60455 (CWE-502 insecure deserialization) and Oligo Security's ShadowMQ research (https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem) describing the recv_pyobj code-reuse pattern."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-60455",
+      "https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-60455",
+        "url": "https://github.com/modular/modular/security/advisories",
+        "severity": "high",
+        "published_date": "2025-11-18"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-60455",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60455",
+        "severity": "high",
+        "published_date": "2025-11-18"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-502; NIST CVSS 8.4) + Oligo Security's ShadowMQ research. Member of the ShadowMQ code-reuse family (insecure deserialization over ZeroMQ propagated across AI inference engines).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Modular Max Server deserializes untrusted data when the experimental KVCache agent is enabled, allowing code execution; part of the ShadowMQ code-reuse family; fixed in 25.6.0."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -1299,10 +1299,13 @@
     ],
     "evidence_cves": [
       "CVE-2023-21529",
+      "CVE-2024-50050",
       "CVE-2024-8069",
       "CVE-2025-10035",
+      "CVE-2025-23254",
       "CVE-2025-24016",
       "CVE-2025-26399",
+      "CVE-2025-30165",
       "CVE-2025-40551",
       "CVE-2025-42999",
       "CVE-2025-49113",
@@ -1310,6 +1313,7 @@
       "CVE-2025-53690",
       "CVE-2025-53770",
       "CVE-2025-59287",
+      "CVE-2025-60455",
       "CVE-2025-68664",
       "CVE-2026-20131",
       "CVE-2026-20963"

package/data/framework-control-gaps.json

@@ -34,9 +34,13 @@
     "status": "open",
     "opened_date": "2026-01-01",
     "evidence_cves": [
+      "CVE-2024-50050",
+      "CVE-2025-23254",
+      "CVE-2025-30165",
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-54136",
+      "CVE-2025-60455",
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-26015",
@@ -1354,6 +1358,7 @@
       "CVE-2024-37079",
       "CVE-2024-42009",
       "CVE-2024-43468",
+      "CVE-2024-50050",
       "CVE-2024-54085",
       "CVE-2024-56145",
       "CVE-2024-57726",
@@ -1382,6 +1387,7 @@
       "CVE-2025-21043",
       "CVE-2025-21479",
       "CVE-2025-21480",
+      "CVE-2025-23254",
       "CVE-2025-24016",
       "CVE-2025-24201",
       "CVE-2025-24893",
@@ -1397,6 +1403,7 @@
       "CVE-2025-27915",
       "CVE-2025-27920",
       "CVE-2025-29635",
+      "CVE-2025-30165",
       "CVE-2025-30397",
       "CVE-2025-31125",
       "CVE-2025-31277",
@@ -1470,6 +1477,7 @@
       "CVE-2025-59374",
       "CVE-2025-59689",
       "CVE-2025-59718",
+      "CVE-2025-60455",
       "CVE-2025-60710",
       "CVE-2025-61757",
       "CVE-2025-61882",
@@ -1738,14 +1746,18 @@
     "status": "open",
     "opened_date": "2026-03-15",
     "evidence_cves": [
+      "CVE-2024-50050",
       "CVE-2025-10585",
       "CVE-2025-1094",
       "CVE-2025-14174",
+      "CVE-2025-23254",
+      "CVE-2025-30165",
       "CVE-2025-34291",
       "CVE-2025-38352",
       "CVE-2025-43300",
       "CVE-2025-49596",
       "CVE-2025-54136",
+      "CVE-2025-60455",
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-25592",
@@ -2156,8 +2168,12 @@
     "status": "open",
     "opened_date": "2026-05-13",
     "evidence_cves": [
+      "CVE-2024-50050",
       "CVE-2025-0133",
       "CVE-2025-1094",
+      "CVE-2025-23254",
+      "CVE-2025-30165",
+      "CVE-2025-60455",
       "CVE-2025-6965",
       "CVE-2026-39884",
       "CVE-2026-42208",
@@ -2304,6 +2320,7 @@
       "CVE-2024-37079",
       "CVE-2024-42009",
       "CVE-2024-43468",
+      "CVE-2024-50050",
       "CVE-2024-54085",
       "CVE-2024-56145",
       "CVE-2024-57726",
@@ -2333,6 +2350,7 @@
       "CVE-2025-21043",
       "CVE-2025-21479",
       "CVE-2025-21480",
+      "CVE-2025-23254",
       "CVE-2025-24016",
       "CVE-2025-24201",
       "CVE-2025-24893",
@@ -2348,6 +2366,7 @@
       "CVE-2025-27915",
       "CVE-2025-27920",
       "CVE-2025-29635",
+      "CVE-2025-30165",
       "CVE-2025-30397",
       "CVE-2025-31125",
       "CVE-2025-31277",
@@ -2422,6 +2441,7 @@
       "CVE-2025-59389",
       "CVE-2025-59689",
       "CVE-2025-59718",
+      "CVE-2025-60455",
       "CVE-2025-60710",
       "CVE-2025-61757",
       "CVE-2025-61882",
@@ -4756,9 +4776,13 @@
     "opened_date": "2026-05-15",
     "evidence_cves": [
       "CVE-2024-21762",
+      "CVE-2024-50050",
+      "CVE-2025-23254",
+      "CVE-2025-30165",
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-54136",
+      "CVE-2025-60455",
       "CVE-2026-0300",
       "CVE-2026-20182",
       "CVE-2026-22252",
@@ -5264,9 +5288,13 @@
     "opened_date": "2026-05-17",
     "evidence_cves": [
       "CVE-2024-21762",
+      "CVE-2024-50050",
+      "CVE-2025-23254",
+      "CVE-2025-30165",
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-54136",
+      "CVE-2025-60455",
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-25592",
@@ -5314,9 +5342,13 @@
     "opened_date": "2026-05-17",
     "evidence_cves": [
       "CVE-2024-21762",
+      "CVE-2024-50050",
+      "CVE-2025-23254",
+      "CVE-2025-30165",
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-54136",
+      "CVE-2025-60455",
       "CVE-2026-22252",
       "CVE-2026-22688",
       "CVE-2026-25592",