@blamejs/exceptd-skills 0.13.82 → 0.13.83

package/data/atlas-ttps.json

@@ -143,6 +143,8 @@
     "maturity": "high",
     "last_verified": "2026-05-19",
     "cve_refs": [
+      "CVE-2025-1550",
+      "CVE-2025-8747",
       "CVE-2026-22778",
       "CVE-2026-30615",
       "CVE-2026-39987",
@@ -1259,6 +1261,8 @@
     "exceptd_skills": [],
     "last_verified": "2026-05-19",
     "cve_refs": [
+      "CVE-2025-1550",
+      "CVE-2025-8747",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG"
     ],
     "description_full": "An adversary may rely upon specific actions by a user in order to gain execution. Users may inadvertently execute unsafe code introduced via [AI Supply Chain Compromise](/techniques/AML.T0010). Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link.",
@@ -2784,7 +2788,11 @@
       "ATLAS"
     ],
     "stix_id": "attack-pattern--a5cc5062-f672-510a-8a4f-a8d1aa7f5024",
-    "is_subtechnique": true
+    "is_subtechnique": true,
+    "cve_refs": [
+      "CVE-2025-1550",
+      "CVE-2025-8747"
+    ]
   },
   "AML.T0011.001": {
     "id": "AML.T0011.001",

package/data/attack-techniques.json

@@ -273,6 +273,7 @@
       "CVE-2024-50050",
       "CVE-2025-1094",
       "CVE-2025-11837",
+      "CVE-2025-1550",
       "CVE-2025-23254",
       "CVE-2025-30165",
       "CVE-2025-34291",
@@ -283,6 +284,7 @@
       "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-68664",
+      "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-22252",
       "CVE-2026-22688",
@@ -1069,6 +1071,8 @@
     "version": "v19",
     "cve_refs": [
       "CVE-2024-3094",
+      "CVE-2025-1550",
+      "CVE-2025-8747",
       "CVE-2026-45321",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG",
       "MAL-2025-PYPI-COLORAMA-SOLANA-STEALER",
@@ -4234,7 +4238,11 @@
       "Containers"
     ],
     "stix_id": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2025-1550",
+      "CVE-2025-8747"
+    ]
   },
   "T1205": {
     "id": "T1205",

package/data/cve-catalog.json

@@ -11821,6 +11821,220 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "NVIDIA Container Toolkit loads code via an untrusted search path in its init hooks (CWE-426), letting a crafted container escape to the host with elevated permissions (NVIDIAScape). Affects Container Toolkit <= 1.17.7 (fixed 1.17.8) and GPU Operator <= 25.3.0 (fixed 25.3.1)."
   },
+  "CVE-2025-1550": {
+    "name": "Keras .keras Model Deserialization Arbitrary Code Execution",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 9.8 (CRITICAL). Arbitrary code execution at model-load time via unrestricted importlib use in the .keras format parser — no Lambda layer or custom object required, and loading (not calling) the model triggers it.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Public exploit / research exists (Huntr writeups; Exploit-DB EDB-52359 for the Keras model RCE): a crafted .keras model archive executes code when loaded.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via Keras security advisories / Huntr. The abused surface is the ML model file format — the canonical AI supply-chain risk where an untrusted model artifact is executable code.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; unsafe deserialization of ML model artifacts.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory / research disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Keras 3.0.0 through 3.7.x (fixed in 3.8.0, which introduced the safe_mode mitigation).",
+    "affected_versions": [
+      "Keras >= 3.0.0, < 3.8.0"
+    ],
+    "vector": "Keras's .keras model-format parser uses importlib.import_module on names taken from the model archive, so a crafted .keras file executes arbitrary Python modules/functions when the model is loaded (CWE-94) — without Lambda layers or custom objects, at parse time. An attacker who can get a victim to load an untrusted model achieves code execution.",
+    "complexity": "low",
+    "complexity_notes": "NVD AC:L. AV:N — loading the model (not calling it) triggers execution.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading Keras to 3.8.0 or later; no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Keras to 3.8.0 or later and never load .keras models from untrusted sources. Note safe_mode alone is insufficient (see CVE-2025-8747)."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track ML frameworks' model-loading paths as managed, RCE-bearing software, nor that a first fix (safe_mode) was bypassable.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to ML model artifacts, which are treated as data despite being executable at load time.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the model-deserialization path as a code-execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach ML model loading as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model untrusted-model-artifact loading as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for treating model artifacts as untrusted code.",
+      "AU-ISM-1546": "Patch-application control does not single out ML frameworks' model-loading paths.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML model file as untrusted executable input; loading one from an untrusted source is RCE, and safe_mode proved necessary-but-insufficient."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 31,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 31, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=26 (Keras/TensorFlow are among the most widely used ML frameworks) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-1550",
+    "cwe_refs": [
+      "CWE-94"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Python module imports or subprocess execution occurring during keras.models.load_model / Model.load_model of an externally sourced .keras file.",
+        "A .keras archive whose config references importlib targets or built-in module arguments that resolve to code execution.",
+        "Loading model artifacts pulled from a model hub or user upload without provenance verification.",
+        "Keras at an affected version (Keras >= 3.0.0, < 3.8.0) loading untrusted models — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the primary public exploit for CVE-2025-1550 — Exploit-DB EDB-52359 (https://www.exploit-db.com/exploits/52359) and the PoC write-up at https://github.com/io-no/CVE-Reports/issues/2 — plus the Huntr technical analysis (https://blog.huntr.com/inside-cve-2025-1550-remote-code-execution-via-keras-models) and NVD CVE-2025-1550 (CWE-94). The importlib-driven load-time execution is the indicator anchor."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-1550",
+      "https://github.com/keras-team/keras/security/advisories",
+      "https://www.exploit-db.com/exploits/52359",
+      "https://github.com/io-no/CVE-Reports/issues/2"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-1550",
+        "url": "https://github.com/keras-team/keras/security/advisories",
+        "severity": "critical",
+        "published_date": "2025-03-11"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-1550",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1550",
+        "severity": "critical",
+        "published_date": "2025-03-11"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-94; NIST CVSS 9.8) + the Keras security advisory / Huntr research. Member of the ML model-deserialization family — untrusted model artifact equals executable code; CVE-2025-8747 shows the first fix was bypassable.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Keras's .keras model parser runs arbitrary Python via importlib at load time (CWE-94), so loading an untrusted model is RCE; fixed in 3.8.0 (added safe_mode)."
+  },
+  "CVE-2025-8747": {
+    "name": "Keras safe_mode Bypass Model Deserialization Code Execution",
+    "type": "RCE",
+    "cvss_score": 7.8,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 7.8 (HIGH). A bypass of the safe_mode mitigation introduced for CVE-2025-1550: even with safe_mode enabled, a crafted .keras archive passed to Model.load_model can execute code by abusing arguments to built-in Keras modules (CWE-502).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Public exploit / research exists (Huntr writeups; Exploit-DB EDB-52359 for the Keras model RCE): a crafted .keras model archive executes code when loaded, bypassing the safe_mode mitigation.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via Keras security advisories / Huntr. The abused surface is the ML model file format — the canonical AI supply-chain risk where an untrusted model artifact is executable code.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; unsafe deserialization of ML model artifacts.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory / research disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Keras 3.0.0 through 3.10.0 (the safe_mode mitigation from 3.8.0 is bypassable through 3.10.0).",
+    "affected_versions": [
+      "Keras >= 3.0.0, <= 3.10.0"
+    ],
+    "vector": "The safe_mode mitigation added for CVE-2025-1550 is incomplete: Model.load_model still deserializes untrusted .keras archives in a way that lets crafted arguments to built-in Keras modules execute code (CWE-502), even when safe_mode is enabled. Loading an untrusted model is therefore still RCE.",
+    "complexity": "low",
+    "complexity_notes": "NVD AC:L. AV:L / UI:R — requires a victim to load the crafted model.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading Keras past 3.10.0 to the release that fixes the safe_mode bypass; no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Keras past 3.10.0 (to the release that fixes the safe_mode bypass) and treat safe_mode as necessary-but-insufficient: never load .keras models from untrusted sources."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track ML frameworks' model-loading paths as managed, RCE-bearing software, nor that a first fix (safe_mode) was bypassable.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to ML model artifacts, which are treated as data despite being executable at load time.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the model-deserialization path as a code-execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach ML model loading as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model untrusted-model-artifact loading as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for treating model artifacts as untrusted code.",
+      "AU-ISM-1546": "Patch-application control does not single out ML frameworks' model-loading paths.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML model file as untrusted executable input; loading one from an untrusted source is RCE, and safe_mode proved necessary-but-insufficient."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 31,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 31, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=26 (Keras/TensorFlow are among the most widely used ML frameworks) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-8747",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Python module imports or subprocess execution occurring during keras.models.load_model / Model.load_model of an externally sourced .keras file.",
+        "A .keras archive whose config references importlib targets or built-in module arguments that resolve to code execution.",
+        "Loading model artifacts pulled from a model hub or user upload without provenance verification.",
+        "Keras at an affected version (Keras >= 3.0.0, <= 3.10.0) loading untrusted models — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the primary advisory for the CVE-2025-8747 safe_mode bypass — GitHub Security Advisory GHSA-c9rc-mg46-23w3 (https://github.com/advisories/GHSA-c9rc-mg46-23w3), which documents the bypass technique and PoC — plus NVD CVE-2025-8747 (CWE-502) and the Huntr Keras-deserialization research (https://blog.huntr.com/hunting-vulnerabilities-in-keras-model-deserialization). The safe_mode-enabled Model.load_model code execution via built-in module arguments is the indicator anchor."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-8747",
+      "https://github.com/advisories/GHSA-c9rc-mg46-23w3"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-8747",
+        "url": "https://github.com/advisories/GHSA-c9rc-mg46-23w3",
+        "severity": "high",
+        "published_date": "2025-08-11"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-8747",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8747",
+        "severity": "high",
+        "published_date": "2025-08-11"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-502; NIST CVSS 7.8) + the Keras security advisory / Huntr research. Member of the ML model-deserialization family — untrusted model artifact equals executable code; CVE-2025-8747 shows the first fix was bypassable.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Keras safe_mode (added for CVE-2025-1550) is bypassable through 3.10.0: a crafted .keras archive executes code via built-in module arguments even with safe_mode on (CWE-502). The first fix was incomplete."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -369,6 +369,7 @@
       "CVE-2022-48503",
       "CVE-2024-56145",
       "CVE-2025-11837",
+      "CVE-2025-1550",
       "CVE-2025-32432",
       "CVE-2025-37164",
       "CVE-2025-43200",
@@ -1317,6 +1318,7 @@
       "CVE-2025-59287",
       "CVE-2025-60455",
       "CVE-2025-68664",
+      "CVE-2025-8747",
       "CVE-2026-20131",
       "CVE-2026-20963"
     ],

package/data/framework-control-gaps.json

@@ -37,6 +37,7 @@
       "CVE-2023-48022",
       "CVE-2024-0132",
       "CVE-2024-50050",
+      "CVE-2025-1550",
       "CVE-2025-23254",
       "CVE-2025-23266",
       "CVE-2025-30165",
@@ -45,6 +46,7 @@
       "CVE-2025-54136",
       "CVE-2025-60455",
       "CVE-2025-64496",
+      "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-22252",
       "CVE-2026-22688",
@@ -1385,6 +1387,7 @@
       "CVE-2025-14174",
       "CVE-2025-14611",
       "CVE-2025-14733",
+      "CVE-2025-1550",
       "CVE-2025-15556",
       "CVE-2025-20281",
       "CVE-2025-20333",
@@ -1511,6 +1514,7 @@
       "CVE-2025-7775",
       "CVE-2025-8088",
       "CVE-2025-8110",
+      "CVE-2025-8747",
       "CVE-2025-8875",
       "CVE-2025-8876",
       "CVE-2025-9242",
@@ -1763,6 +1767,7 @@
       "CVE-2025-10585",
       "CVE-2025-1094",
       "CVE-2025-14174",
+      "CVE-2025-1550",
       "CVE-2025-23254",
       "CVE-2025-23266",
       "CVE-2025-30165",
@@ -1773,6 +1778,7 @@
       "CVE-2025-54136",
       "CVE-2025-60455",
       "CVE-2025-64496",
+      "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-22252",
       "CVE-2026-22688",
@@ -2192,11 +2198,13 @@
       "CVE-2024-50050",
       "CVE-2025-0133",
       "CVE-2025-1094",
+      "CVE-2025-1550",
       "CVE-2025-23254",
       "CVE-2025-30165",
       "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-6965",
+      "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-39884",
       "CVE-2026-42208",
@@ -2363,6 +2371,7 @@
       "CVE-2025-14174",
       "CVE-2025-14611",
       "CVE-2025-14733",
+      "CVE-2025-1550",
       "CVE-2025-15556",
       "CVE-2025-20281",
       "CVE-2025-20333",
@@ -2494,6 +2503,7 @@
       "CVE-2025-7775",
       "CVE-2025-8088",
       "CVE-2025-8110",
+      "CVE-2025-8747",
       "CVE-2025-8875",
       "CVE-2025-8876",
       "CVE-2025-9242",
@@ -4812,6 +4822,7 @@
       "CVE-2024-0132",
       "CVE-2024-21762",
       "CVE-2024-50050",
+      "CVE-2025-1550",
       "CVE-2025-23254",
       "CVE-2025-23266",
       "CVE-2025-30165",
@@ -4820,6 +4831,7 @@
       "CVE-2025-54136",
       "CVE-2025-60455",
       "CVE-2025-64496",
+      "CVE-2025-8747",
       "CVE-2026-0300",
       "CVE-2026-0766",
       "CVE-2026-20182",
@@ -5330,6 +5342,7 @@
       "CVE-2024-0132",
       "CVE-2024-21762",
       "CVE-2024-50050",
+      "CVE-2025-1550",
       "CVE-2025-23254",
       "CVE-2025-23266",
       "CVE-2025-30165",
@@ -5338,6 +5351,7 @@
       "CVE-2025-54136",
       "CVE-2025-60455",
       "CVE-2025-64496",
+      "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-22252",
       "CVE-2026-22688",
@@ -5389,6 +5403,7 @@
       "CVE-2024-0132",
       "CVE-2024-21762",
       "CVE-2024-50050",
+      "CVE-2025-1550",
       "CVE-2025-23254",
       "CVE-2025-23266",
       "CVE-2025-30165",
@@ -5397,6 +5412,7 @@
       "CVE-2025-54136",
       "CVE-2025-60455",
       "CVE-2025-64496",
+      "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-22252",
       "CVE-2026-22688",

package/data/zeroday-lessons.json

@@ -7083,6 +7083,106 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2025-1550": {
+    "name": "Keras .keras Model Deserialization Arbitrary Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Keras's .keras model parser uses importlib on names from the model archive, so a crafted model executes arbitrary Python at load time (CWE-94) — no Lambda layer or custom object, no need to call the model.",
+      "privileges_required": "none beyond getting a victim to load an untrusted .keras model",
+      "complexity": "low",
+      "ai_factor": "The abused surface is the ML model file format itself — the canonical AI supply-chain risk: an untrusted model artifact is executable code at load time. The lesson, sharpened by the CVE-2025-1550 -> CVE-2025-8747 sequence, is that model artifacts must be treated as untrusted code (provenance, scanning, safe formats like safetensors), and a partial mitigation such as safe_mode is necessary-but-insufficient when it can be bypassed."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track ML frameworks' model-loading paths as RCE-bearing, nor that the first fix (safe_mode) was bypassable."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Model artifacts are treated as data, but Keras executes code while parsing them; no validation is applied to the artifact."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML model file as untrusted executable input; loading one from an untrusted source is RCE."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 72,
+      "basis": "ML pipelines pull models from hubs and user uploads and treat them as data; safe_mode is assumed sufficient despite the documented bypass.",
+      "theater_pattern": "model_artifact_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load .keras / pickle-based models from untrusted sources, verify provenance, prefer safe formats (e.g. safetensors), and load untrusted models only in a sandboxed, network-isolated, least-privilege environment. Upgrade Keras to the fixed release (>= 3.8.0 for CVE-2025-1550; past 3.10.0 for the CVE-2025-8747 safe_mode bypass) and do not rely on safe_mode alone — it was bypassable. The distinguishing test: load an attacker-crafted .keras archive with safe_mode enabled on a sandboxed instance and confirm no code executes.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2025-1550",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-8747": {
+    "name": "Keras safe_mode Bypass Model Deserialization Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "The safe_mode mitigation added for CVE-2025-1550 is bypassable through Keras 3.10.0: Model.load_model still lets a crafted .keras archive execute code via arguments to built-in modules (CWE-502), even with safe_mode enabled.",
+      "privileges_required": "none beyond getting a victim to load an untrusted .keras model",
+      "complexity": "low",
+      "ai_factor": "The abused surface is the ML model file format itself — the canonical AI supply-chain risk: an untrusted model artifact is executable code at load time. The lesson, sharpened by the CVE-2025-1550 -> CVE-2025-8747 sequence, is that model artifacts must be treated as untrusted code (provenance, scanning, safe formats like safetensors), and a partial mitigation such as safe_mode is necessary-but-insufficient when it can be bypassed."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track ML frameworks' model-loading paths as RCE-bearing, nor that the first fix (safe_mode) was bypassable."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "A mitigation (safe_mode) is asserted as the control, but it is bypassable; the artifact is still deserialized unsafely."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML model file as untrusted executable input; loading one from an untrusted source is RCE."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 74,
+      "basis": "ML pipelines pull models from hubs and user uploads and treat them as data; safe_mode is assumed sufficient despite the documented bypass.",
+      "theater_pattern": "incomplete_fix_assumed_complete"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load .keras / pickle-based models from untrusted sources, verify provenance, prefer safe formats (e.g. safetensors), and load untrusted models only in a sandboxed, network-isolated, least-privilege environment. Upgrade Keras to the fixed release (>= 3.8.0 for CVE-2025-1550; past 3.10.0 for the CVE-2025-8747 safe_mode bypass) and do not rely on safe_mode alone — it was bypassable. The distinguishing test: load an attacker-crafted .keras archive with safe_mode enabled on a sandboxed instance and confirm no code executes.",
+        "evidence": "https://github.com/advisories/GHSA-c9rc-mg46-23w3",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2025-34291": {
     "name": "Langflow Account Takeover + RCE (CORS / refresh-token chain)",
     "lesson_date": "2026-05-24",