@blamejs/exceptd-skills 0.13.83 → 0.13.85

package/data/cwe-catalog.json

@@ -48,6 +48,7 @@
       "fuzz-testing-strategy"
     ],
     "evidence_cves": [
+      "CVE-2022-1471",
       "CVE-2024-3154",
       "CVE-2025-20393",
       "CVE-2025-54236",
@@ -421,6 +422,7 @@
       "hardening"
     ],
     "evidence_cves": [
+      "CVE-2024-42479",
       "CVE-2026-43284"
     ],
     "framework_controls_partially_addressing": [
@@ -453,6 +455,7 @@
     ],
     "evidence_cves": [
       "CVE-2023-36424",
+      "CVE-2024-42478",
       "CVE-2025-48633",
       "CVE-2025-5419",
       "CVE-2025-5777",
@@ -1301,6 +1304,7 @@
       "webapp-security"
     ],
     "evidence_cves": [
+      "CVE-2022-1471",
       "CVE-2023-21529",
       "CVE-2024-50050",
       "CVE-2024-8069",
@@ -1589,6 +1593,7 @@
       "CVE-2023-3519",
       "CVE-2024-21762",
       "CVE-2024-37079",
+      "CVE-2024-42479",
       "CVE-2025-14174",
       "CVE-2025-14733",
       "CVE-2025-21042",
@@ -1825,6 +1830,7 @@
       "CVE-2021-22054",
       "CVE-2021-22175",
       "CVE-2021-39935",
+      "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2025-61884"
     ],
@@ -2255,6 +2261,7 @@
       "CVE-2025-6965",
       "CVE-2025-7775",
       "CVE-2026-20700",
+      "CVE-2026-34159",
       "CVE-2026-3910"
     ],
     "last_verified": "2026-05-18",

package/data/framework-control-gaps.json

@@ -34,8 +34,12 @@
     "status": "open",
     "opened_date": "2026-01-01",
     "evidence_cves": [
+      "CVE-2022-1471",
+      "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2024-0132",
+      "CVE-2024-42478",
+      "CVE-2024-42479",
       "CVE-2024-50050",
       "CVE-2025-1550",
       "CVE-2025-23254",
@@ -57,6 +61,7 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-34159",
       "CVE-2026-40933"
     ],
     "atlas_refs": [
@@ -1343,6 +1348,7 @@
       "CVE-2021-39935",
       "CVE-2021-43226",
       "CVE-2021-43798",
+      "CVE-2022-1471",
       "CVE-2022-20775",
       "CVE-2022-37055",
       "CVE-2022-40799",
@@ -1357,6 +1363,7 @@
       "CVE-2023-39780",
       "CVE-2023-41974",
       "CVE-2023-43000",
+      "CVE-2023-43654",
       "CVE-2023-50224",
       "CVE-2023-52163",
       "CVE-2024-0769",
@@ -1368,6 +1375,8 @@
       "CVE-2024-27443",
       "CVE-2024-37079",
       "CVE-2024-42009",
+      "CVE-2024-42478",
+      "CVE-2024-42479",
       "CVE-2024-43468",
       "CVE-2024-50050",
       "CVE-2024-54085",
@@ -1565,6 +1574,7 @@
       "CVE-2026-32201",
       "CVE-2026-33017",
       "CVE-2026-33634",
+      "CVE-2026-34159",
       "CVE-2026-34197",
       "CVE-2026-34621",
       "CVE-2026-34926",
@@ -1761,8 +1771,12 @@
     "status": "open",
     "opened_date": "2026-03-15",
     "evidence_cves": [
+      "CVE-2022-1471",
+      "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2024-0132",
+      "CVE-2024-42478",
+      "CVE-2024-42479",
       "CVE-2024-50050",
       "CVE-2025-10585",
       "CVE-2025-1094",
@@ -1791,6 +1805,7 @@
       "CVE-2026-30624",
       "CVE-2026-30625",
       "CVE-2026-31431",
+      "CVE-2026-34159",
       "CVE-2026-34926",
       "CVE-2026-39884",
       "CVE-2026-40933",
@@ -2126,8 +2141,11 @@
       "CVE-2023-48022",
       "CVE-2024-0132",
       "CVE-2024-40635",
+      "CVE-2024-42478",
+      "CVE-2024-42479",
       "CVE-2025-23266",
       "CVE-2025-53767",
+      "CVE-2026-34159",
       "CVE-2026-42897"
     ],
     "atlas_refs": [
@@ -2324,6 +2342,7 @@
       "CVE-2021-39935",
       "CVE-2021-43226",
       "CVE-2021-43798",
+      "CVE-2022-1471",
       "CVE-2022-20775",
       "CVE-2022-37055",
       "CVE-2022-40799",
@@ -2339,6 +2358,7 @@
       "CVE-2023-39780",
       "CVE-2023-41974",
       "CVE-2023-43000",
+      "CVE-2023-43654",
       "CVE-2023-50224",
       "CVE-2023-52163",
       "CVE-2024-0132",
@@ -2351,6 +2371,8 @@
       "CVE-2024-27443",
       "CVE-2024-37079",
       "CVE-2024-42009",
+      "CVE-2024-42478",
+      "CVE-2024-42479",
       "CVE-2024-43468",
       "CVE-2024-50050",
       "CVE-2024-54085",
@@ -2558,6 +2580,7 @@
       "CVE-2026-33017",
       "CVE-2026-33634",
       "CVE-2026-33825",
+      "CVE-2026-34159",
       "CVE-2026-34197",
       "CVE-2026-34621",
       "CVE-2026-34926",
@@ -3608,6 +3631,8 @@
     "status": "open",
     "opened_date": "2026-05-13",
     "evidence_cves": [
+      "CVE-2022-1471",
+      "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2026-24206",
       "CVE-2026-24207"
@@ -4818,9 +4843,13 @@
     "status": "open",
     "opened_date": "2026-05-15",
     "evidence_cves": [
+      "CVE-2022-1471",
+      "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2024-0132",
       "CVE-2024-21762",
+      "CVE-2024-42478",
+      "CVE-2024-42479",
       "CVE-2024-50050",
       "CVE-2025-1550",
       "CVE-2025-23254",
@@ -4845,6 +4874,7 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-34159",
       "CVE-2026-34926",
       "CVE-2026-40933",
       "CVE-2026-41091",
@@ -5341,6 +5371,8 @@
     "evidence_cves": [
       "CVE-2024-0132",
       "CVE-2024-21762",
+      "CVE-2024-42478",
+      "CVE-2024-42479",
       "CVE-2024-50050",
       "CVE-2025-1550",
       "CVE-2025-23254",
@@ -5361,6 +5393,7 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-34159",
       "CVE-2026-34926",
       "CVE-2026-40933",
       "CVE-2026-41091",
@@ -5399,9 +5432,13 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
+      "CVE-2022-1471",
+      "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2024-0132",
       "CVE-2024-21762",
+      "CVE-2024-42478",
+      "CVE-2024-42479",
       "CVE-2024-50050",
       "CVE-2025-1550",
       "CVE-2025-23254",
@@ -5424,6 +5461,7 @@
       "CVE-2026-30617",
       "CVE-2026-30624",
       "CVE-2026-30625",
+      "CVE-2026-34159",
       "CVE-2026-34926",
       "CVE-2026-40933",
       "CVE-2026-41091",
@@ -5701,6 +5739,8 @@
     "opened_date": "2026-05-18",
     "evidence_cves": [
       "CVE-2020-10148",
+      "CVE-2022-1471",
+      "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2024-1709",
       "CVE-2026-20182",

package/data/zeroday-lessons.json

@@ -7183,6 +7183,256 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2024-42479": {
+    "name": "llama.cpp RPC Backend SET_TENSOR Out-of-Bounds Write RCE",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "llama.cpp's RPC backend deserializes attacker-controlled tensor pointers without bounds validation (CWE-787/CWE-123 write-what-where via SET_TENSOR), so an unauthenticated TCP client to the RPC server (default port 50052) reads/writes arbitrary memory and achieves code execution.",
+      "privileges_required": "none (NVD AV:N / PR:N) — unauthenticated TCP access to the RPC server",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the distributed-inference RPC backend of the most widely used local LLM runtime. The lesson: the inference RPC backend is an unauthenticated execution boundary that must validate all deserialized tensor bounds on every command path and never be network-exposed. The CVE-2024-42478/42479 -> CVE-2026-34159 sequence shows per-command patching (GET/SET) left GRAPH_COMPUTE exploitable — the fix belongs in deserialize_tensor itself."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the local-LLM runtime's RPC backend as RCE-bearing, nor that the first fix left the GRAPH_COMPUTE path unpatched."
+      },
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not flag the unauthenticated RPC server (port 50052) as a network-exposed execution surface."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires the inference RPC backend to validate deserialized tensor bounds on every command path."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Local-LLM RPC servers are run on trusted-network assumptions and rarely tracked; per-command patches are assumed complete despite the GRAPH_COMPUTE bypass.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-092",
+        "name": "AI-INFERENCE-RPC-BACKEND-HARDENING",
+        "description": "The inference RPC backend (llama.cpp / ggml) must validate all deserialized tensor bounds inside deserialize_tensor itself — every command path (GET_TENSOR, SET_TENSOR, GRAPH_COMPUTE), not per-handler — and must never be exposed to untrusted networks (the RPC server on port 50052 has no authentication; bind to localhost or a trusted segment). Upgrade llama.cpp to b8492 or later — b3561 fixed only GET_TENSOR / SET_TENSOR (CVE-2024-42478 / CVE-2024-42479), and builds b3561 through b8491 remain exploitable via the GRAPH_COMPUTE buffer=0 path (CVE-2026-34159), which b8492 closes. The distinguishing test: send a crafted rpc_tensor with buffer=0 / out-of-range data pointer via GRAPH_COMPUTE to a staging RPC server and confirm it is rejected, not dereferenced.",
+        "evidence": "https://github.com/ggerganov/llama.cpp/security/advisories/GHSA-wcr5-566p-9cwj",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SC-7",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-42478": {
+    "name": "llama.cpp RPC Backend GET_TENSOR Out-of-Bounds Read",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "llama.cpp's RPC backend deserializes attacker-controlled tensor pointers without bounds validation (CWE-125 arbitrary read via GET_TENSOR), so an unauthenticated TCP client to the RPC server (default port 50052) reads/writes arbitrary memory and achieves code execution.",
+      "privileges_required": "none (NVD AV:N / PR:N) — unauthenticated TCP access to the RPC server",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the distributed-inference RPC backend of the most widely used local LLM runtime. The lesson: the inference RPC backend is an unauthenticated execution boundary that must validate all deserialized tensor bounds on every command path and never be network-exposed. The CVE-2024-42478/42479 -> CVE-2026-34159 sequence shows per-command patching (GET/SET) left GRAPH_COMPUTE exploitable — the fix belongs in deserialize_tensor itself."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the local-LLM runtime's RPC backend as RCE-bearing, nor that the first fix left the GRAPH_COMPUTE path unpatched."
+      },
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not flag the unauthenticated RPC server (port 50052) as a network-exposed execution surface."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires the inference RPC backend to validate deserialized tensor bounds on every command path."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Local-LLM RPC servers are run on trusted-network assumptions and rarely tracked; per-command patches are assumed complete despite the GRAPH_COMPUTE bypass.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-092",
+        "name": "AI-INFERENCE-RPC-BACKEND-HARDENING",
+        "description": "The inference RPC backend (llama.cpp / ggml) must validate all deserialized tensor bounds inside deserialize_tensor itself — every command path (GET_TENSOR, SET_TENSOR, GRAPH_COMPUTE), not per-handler — and must never be exposed to untrusted networks (the RPC server on port 50052 has no authentication; bind to localhost or a trusted segment). Upgrade llama.cpp to b8492 or later — b3561 fixed only GET_TENSOR / SET_TENSOR (CVE-2024-42478 / CVE-2024-42479), and builds b3561 through b8491 remain exploitable via the GRAPH_COMPUTE buffer=0 path (CVE-2026-34159), which b8492 closes. The distinguishing test: send a crafted rpc_tensor with buffer=0 / out-of-range data pointer via GRAPH_COMPUTE to a staging RPC server and confirm it is rejected, not dereferenced.",
+        "evidence": "https://github.com/ggerganov/llama.cpp/security/advisories/GHSA-5vm9-p64x-gqw9",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SC-7",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-34159": {
+    "name": "llama.cpp RPC Backend GRAPH_COMPUTE deserialize_tensor Bounds Bypass RCE",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "llama.cpp's RPC backend deserializes attacker-controlled tensor pointers without bounds validation (CWE-119 bounds bypass via GRAPH_COMPUTE (buffer=0)), so an unauthenticated TCP client to the RPC server (default port 50052) reads/writes arbitrary memory and achieves code execution.",
+      "privileges_required": "none (NVD AV:N / PR:N) — unauthenticated TCP access to the RPC server",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the distributed-inference RPC backend of the most widely used local LLM runtime. The lesson: the inference RPC backend is an unauthenticated execution boundary that must validate all deserialized tensor bounds on every command path and never be network-exposed. The CVE-2024-42478/42479 -> CVE-2026-34159 sequence shows per-command patching (GET/SET) left GRAPH_COMPUTE exploitable — the fix belongs in deserialize_tensor itself."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the local-LLM runtime's RPC backend as RCE-bearing, nor that the first fix left the GRAPH_COMPUTE path unpatched."
+      },
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not flag the unauthenticated RPC server (port 50052) as a network-exposed execution surface."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires the inference RPC backend to validate deserialized tensor bounds on every command path."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 74,
+      "basis": "Local-LLM RPC servers are run on trusted-network assumptions and rarely tracked; per-command patches are assumed complete despite the GRAPH_COMPUTE bypass.",
+      "theater_pattern": "incomplete_fix_assumed_complete"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-092",
+        "name": "AI-INFERENCE-RPC-BACKEND-HARDENING",
+        "description": "The inference RPC backend (llama.cpp / ggml) must validate all deserialized tensor bounds inside deserialize_tensor itself — every command path (GET_TENSOR, SET_TENSOR, GRAPH_COMPUTE), not per-handler — and must never be exposed to untrusted networks (the RPC server on port 50052 has no authentication; bind to localhost or a trusted segment). Upgrade llama.cpp to b8492 or later. The distinguishing test: send a crafted rpc_tensor with buffer=0 / out-of-range data pointer via GRAPH_COMPUTE to a staging RPC server and confirm it is rejected, not dereferenced.",
+        "evidence": "https://github.com/ggml-org/llama.cpp/security/advisories/GHSA-j8rj-fmpv-wcxw",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SC-7",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2023-43654": {
+    "name": "PyTorch TorchServe Management API SSRF to Remote Code Execution (ShellTorch)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "PyTorch TorchServe Management API SSRF to Remote Code Execution (ShellTorch): CWE-918 SSRF in the management API. In the ShellTorch chain, an unauthenticated, network-exposed TorchServe management API accepts a remote model configuration and parses it with an unsafe YAML deserializer, yielding full remote code execution on the model server.",
+      "privileges_required": "none (NVD PR:N) — default-configured TorchServe is open and unauthenticated",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is an AI model server (TorchServe, maintained by Amazon and Meta) and the libraries it bundles. The lesson: a model server's management API is a privileged control plane that must authenticate, bind to loopback, and never deserialize untrusted config unsafely — Oligo found thousands of exposed instances at major organizations, so the default-open posture is the real-world exposure."
+    },
+    "framework_coverage": {
+      "NIST-800-53-IA-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Authentication is not enforced on the model server's management API; the default deployment is open and network-exposed."
+      },
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track AI model servers and their bundled deserialization libraries as managed, RCE-bearing software."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the model server's management API + config deserialization as an untrusted, RCE-bearing surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 74,
+      "basis": "Model servers are deployed with default-open management planes on trusted-network assumptions; bundled YAML/deserialization libraries are not tracked.",
+      "theater_pattern": "default_open_management_plane"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-093",
+        "name": "AI-MODEL-SERVER-MANAGEMENT-API-HARDENING",
+        "description": "An AI model server's management API must authenticate every caller, bind to loopback (not all interfaces) by default, restrict model sources to an allow-list (no fetching configs/archives from arbitrary URLs), and parse configuration with safe deserializers (SafeConstructor / no arbitrary type instantiation). Upgrade TorchServe 0.8.2+ and bind the management API to loopback with authentication. The distinguishing test: from an unauthenticated remote client, attempt to register a model from an attacker URL against a staging model server and confirm it is refused and no remote content is fetched or deserialized.",
+        "evidence": "https://github.com/pytorch/serve/security/advisories/GHSA-8fxr-qfr9-p34w",
+        "gap_closes": [
+          "NIST-800-53-IA-2",
+          "NIST-800-53-SI-2",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2022-1471": {
+    "name": "SnakeYAML Constructor Unsafe Deserialization RCE (ShellTorch chain)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "SnakeYAML Constructor Unsafe Deserialization RCE (ShellTorch chain): CWE-502 unsafe YAML deserialization. In the ShellTorch chain, an unauthenticated, network-exposed TorchServe management API accepts a remote model configuration and parses it with an unsafe YAML deserializer, yielding full remote code execution on the model server.",
+      "privileges_required": "none for services parsing untrusted YAML (NVD PR:N; CNA Google PR:L)",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is an AI model server (TorchServe, maintained by Amazon and Meta) and the libraries it bundles. The lesson: a model server's management API is a privileged control plane that must authenticate, bind to loopback, and never deserialize untrusted config unsafely — Oligo found thousands of exposed instances at major organizations, so the default-open posture is the real-world exposure."
+    },
+    "framework_coverage": {
+      "NIST-800-53-IA-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Authentication is not enforced on the model server's management API; the default deployment is open and network-exposed."
+      },
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track AI model servers and their bundled deserialization libraries as managed, RCE-bearing software."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the model server's management API + config deserialization as an untrusted, RCE-bearing surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Model servers are deployed with default-open management planes on trusted-network assumptions; bundled YAML/deserialization libraries are not tracked.",
+      "theater_pattern": "default_open_management_plane"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-093",
+        "name": "AI-MODEL-SERVER-MANAGEMENT-API-HARDENING",
+        "description": "An AI model server's management API must authenticate every caller, bind to loopback (not all interfaces) by default, restrict model sources to an allow-list (no fetching configs/archives from arbitrary URLs), and parse configuration with safe deserializers (SafeConstructor / no arbitrary type instantiation). Upgrade SnakeYAML 2.0+ (SafeConstructor default) or construct parsers with SafeConstructor. The distinguishing test: from an unauthenticated remote client, attempt to register a model from an attacker URL against a staging model server and confirm it is refused and no remote content is fetched or deserialized.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
+        "gap_closes": [
+          "NIST-800-53-IA-2",
+          "NIST-800-53-SI-2",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2025-34291": {
     "name": "Langflow Account Takeover + RCE (CORS / refresh-token chain)",
     "lesson_date": "2026-05-24",