npm - @blamejs/exceptd-skills - Versions diffs - 0.13.85 → 0.13.87 - Mend

@blamejs/exceptd-skills 0.13.85 → 0.13.87

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/CHANGELOG.md +8 -0
package/data/_indexes/_meta.json +9 -9
package/data/_indexes/activity-feed.json +2 -2
package/data/_indexes/catalog-summaries.json +2 -2
package/data/_indexes/chains.json +1682 -0
package/data/atlas-ttps.json +7 -0
package/data/attack-techniques.json +10 -0
package/data/cve-catalog.json +422 -0
package/data/cwe-catalog.json +5 -0
package/data/framework-control-gaps.json +32 -0
package/data/zeroday-lessons.json +200 -0
package/manifest.json +44 -44
package/package.json +2 -2
package/sbom.cdx.json +25 -25

package/data/atlas-ttps.json CHANGED Viewed

@@ -144,6 +144,7 @@
     "last_verified": "2026-05-19",
     "cve_refs": [
       "CVE-2023-43654",
+      "CVE-2024-37032",
       "CVE-2025-1550",
       "CVE-2025-8747",
       "CVE-2026-22778",
@@ -668,6 +669,8 @@
     "maturity": "moderate",
     "last_verified": "2026-05-19",
     "cve_refs": [
+      "CVE-2023-51449",
+      "CVE-2024-1561",
       "CVE-2026-42208",
       "MAL-2026-3083"
     ],
@@ -1704,6 +1707,10 @@
     "cve_refs": [
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-51449",
+      "CVE-2024-1561",
+      "CVE-2024-37032",
+      "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2025-64496",

package/data/attack-techniques.json CHANGED Viewed

@@ -272,6 +272,7 @@
       "CVE-2022-1471",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2024-37032",
       "CVE-2024-42479",
       "CVE-2024-50050",
       "CVE-2025-1094",
@@ -837,11 +838,15 @@
       "CVE-2023-39780",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-51449",
       "CVE-2023-52163",
       "CVE-2024-12987",
+      "CVE-2024-1561",
       "CVE-2024-1709",
       "CVE-2024-21762",
+      "CVE-2024-37032",
       "CVE-2024-37079",
+      "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2024-43468",
@@ -2426,6 +2431,8 @@
     "version": "v19",
     "cve_refs": [
       "CVE-2023-36424",
+      "CVE-2023-51449",
+      "CVE-2024-1561",
       "CVE-2025-14847",
       "CVE-2025-22226",
       "CVE-2025-47813",
@@ -3509,6 +3516,9 @@
     "stix_id": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
     "is_subtechnique": false,
     "cve_refs": [
+      "CVE-2023-51449",
+      "CVE-2024-1561",
+      "CVE-2024-39722",
       "CVE-2026-34926"
     ]
   },

package/data/cve-catalog.json CHANGED Viewed

@@ -12557,6 +12557,428 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "SnakeYAML's default Constructor deserializes arbitrary types from untrusted YAML (CWE-502), enabling RCE; fixed in 2.0 (SafeConstructor default). The deserialization leg of the ShellTorch TorchServe chain."
   },
+  "CVE-2024-37032": {
+    "name": "Ollama Model Registry Path Traversal Arbitrary File Write RCE (Probllama)",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 8.8 (HIGH). Path traversal from insufficient validation of the SHA256 model-blob digest, enabling arbitrary file write and remote code execution.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Public exploit exists (a Metasploit module and standalone PoCs, e.g. github.com/jakabakos/CVE-2024-37032-Ollama-RCE): an attacker stands up a rogue registry whose manifest embeds a path-traversal digest, and an Ollama pull writes attacker content to an arbitrary path.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Wiz Research (Probllama). The abused surface is the model-pull path of the most widely used local LLM runtime.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; path traversal in the model-runtime API.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Ollama before 0.1.34.",
+    "affected_versions": [
+      "Ollama < 0.1.34"
+    ],
+    "vector": "Ollama does not validate that a model-blob digest is a 64-character hex SHA256, so a manifest from a rogue registry can embed path-traversal sequences in the digest. When Ollama pulls the model it writes attacker-controlled content to an arbitrary path (CWE-22), which can overwrite server files (e.g. a config or library) and achieve remote code execution. Disclosed by Wiz as Probllama; a public Metasploit module exists.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L. PR:L.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading Ollama to 0.1.34 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Ollama to 0.1.34 or later. Never expose the Ollama API (default port 11434) to untrusted networks, and only pull models from trusted registries."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the local-LLM runtime as managed, network-exposed software.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to model-blob digests / API path parameters in the runtime.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the model-runtime API's path handling as an injection surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the local-LLM runtime API as a privileged surface.",
+      "DORA-Art-9": "ICT protection measures do not model path traversal in an AI runtime API as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating paths/digests in the model-runtime API.",
+      "AU-ISM-1546": "Patch-application control does not single out local-LLM runtimes.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the model-runtime API's path/digest handling as untrusted input; a rogue registry or crafted request reaches the filesystem."
+    },
+    "atlas_refs": [
+      "AML.T0049",
+      "AML.T0010"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 31,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 31, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=26 (Ollama is the most widely used local LLM runtime) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-37032",
+    "cwe_refs": [
+      "CWE-22"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Ollama pulling a model from a non-default / untrusted registry whose manifest contains a blob digest that is not 64-hex (contains ../ or extra characters).",
+        "Ollama writing files outside its model blob store during a pull.",
+        "Ollama API (default port 11434) reachable from untrusted networks accepting model pulls.",
+        "Ollama < 0.1.34 — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the Wiz Probllama research (https://www.wiz.io/blog/probllama-ollama-vulnerability-cve-2024-37032) and the public Metasploit module / PoC (github.com/jakabakos/CVE-2024-37032-Ollama-RCE), plus NVD CVE-2024-37032 (CWE-22)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-37032",
+      "https://www.wiz.io/blog/probllama-ollama-vulnerability-cve-2024-37032",
+      "https://www.wiz.io/blog/probllama-ollama-vulnerability-cve-2024-37032"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Wiz Research (Probllama)",
+        "advisory_id": "CVE-2024-37032",
+        "url": "https://www.wiz.io/blog/probllama-ollama-vulnerability-cve-2024-37032",
+        "severity": "high",
+        "published_date": "2024-05-31"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-37032",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37032",
+        "severity": "high",
+        "published_date": "2024-05-31"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-22; NIST CVSS 8.8) + Wiz Probllama research + the ollama GitHub advisory. Member of the Ollama API path-traversal family.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Ollama fails to validate the model-blob digest, so a rogue registry's manifest triggers path-traversal arbitrary file write and RCE (Probllama); fixed in 0.1.34."
+  },
+  "CVE-2024-39722": {
+    "name": "Ollama api/push Path Traversal File-Existence Disclosure",
+    "type": "INFO-DISCLOSURE",
+    "cvss_score": 7.5,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+    "cvss_note": "NVD CVSS v3.1 base 7.5 (HIGH). Path traversal on the api/push route discloses which files exist on the Ollama host.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in Oligo's 'More Models, More ProbLLMs' research and the GitHub advisory: a crafted api/push request with traversal sequences reveals file existence on the Ollama host.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Oligo Security ('More Models, More ProbLLMs'). The abused surface is the Ollama HTTP API.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; path traversal in the model-runtime API.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Ollama before 0.1.46 (fixed in 0.1.46).",
+    "affected_versions": [
+      "Ollama < 0.1.46"
+    ],
+    "vector": "Ollama's api/push route is vulnerable to path traversal (CWE-22): an unauthenticated request with traversal sequences reveals whether arbitrary paths exist on the server, a reconnaissance primitive that aids further exploitation. One of the Oligo 'More Models, More ProbLLMs' findings.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L. PR:N — unauthenticated.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading Ollama to 0.1.46 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Ollama to 0.1.46 or later and do not expose the Ollama API (default port 11434) to untrusted networks."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the local-LLM runtime as managed, network-exposed software.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to model-blob digests / API path parameters in the runtime.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the model-runtime API's path handling as an injection surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the local-LLM runtime API as a privileged surface.",
+      "DORA-Art-9": "ICT protection measures do not model path traversal in an AI runtime API as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating paths/digests in the model-runtime API.",
+      "AU-ISM-1546": "Patch-application control does not single out local-LLM runtimes.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the model-runtime API's path/digest handling as untrusted input; a rogue registry or crafted request reaches the filesystem."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1083"
+    ],
+    "rwep_score": 27,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 22,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 27, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=22 (Ollama is the most widely used local LLM runtime) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-39722",
+    "cwe_refs": [
+      "CWE-22"
+    ],
+    "iocs": {
+      "behavioral": [
+        "api/push requests to the Ollama API containing path-traversal sequences (../) in path parameters.",
+        "Probe patterns enumerating host file existence via the Ollama HTTP API from untrusted sources.",
+        "Ollama API (default port 11434) exposed to untrusted networks.",
+        "Ollama < 0.1.46 — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the Oligo 'More Models, More ProbLLMs' research (https://www.oligo.security/blog/more-models-more-probllms), plus NVD CVE-2024-39722 (CWE-22)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-39722",
+      "https://www.oligo.security/blog/more-models-more-probllms",
+      "https://www.oligo.security/blog/more-models-more-probllms"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Oligo Security (More Models, More ProbLLMs)",
+        "advisory_id": "CVE-2024-39722",
+        "url": "https://www.oligo.security/blog/more-models-more-probllms",
+        "severity": "high",
+        "published_date": "2024-10-31"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-39722",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39722",
+        "severity": "high",
+        "published_date": "2024-10-31"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-22; NIST CVSS 7.5) + Oligo 'More Models, More ProbLLMs' research + the ollama GitHub advisory. Member of the Ollama API path-traversal family.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Ollama's api/push route path traversal (CWE-22) lets an unauthenticated attacker disclose file existence on the host; fixed in 0.1.46."
+  },
+  "CVE-2024-1561": {
+    "name": "Gradio /component_server Local File Read (Hugging Face Spaces Secret Theft)",
+    "type": "INFO-DISCLOSURE",
+    "cvss_score": 7.5,
+    "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+    "cvss_note": "NVD CVSS v3.0 base 7.5 (HIGH). NVD assigns CWE-29 (a path-traversal variant); the parent class is CWE-22. The /component_server endpoint invokes any Component method with attacker-controlled arguments, abused via move_resource_to_block_cache() to read host files.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Public exploitation research exists (Horizon3.ai 'Exploiting File Read Vulnerabilities in Gradio to Steal Secrets from Hugging Face Spaces'): an unauthenticated request to a public Gradio app reads arbitrary host files, including HF Spaces secrets.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Horizon3.ai. The abused surface is Gradio, the ML demo/UI framework behind Hugging Face Spaces and countless public ML demos.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; file-read / SSRF in the ML web framework.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Gradio 4.12.0 up to but excluding 4.13.0 (fixed in 4.13.0).",
+    "affected_versions": [
+      "Gradio >= 4.12.0, < 4.13.0"
+    ],
+    "vector": "Gradio's /component_server endpoint permits invoking arbitrary methods on a Component class with attacker-controlled arguments. An unauthenticated request invokes move_resource_to_block_cache() to copy an arbitrary host file into the served cache and read it (path traversal, CWE-22). On Hugging Face Spaces this reads secrets/tokens from the host. Disclosed by Horizon3.ai.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N — unauthenticated, against a publicly reachable Gradio app.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading Gradio to 4.13.0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Gradio to 4.13.0 or later. Do not expose Gradio apps with sensitive host secrets to untrusted networks, run them least-privilege, and avoid storing secrets readable by the app process (relevant for Hugging Face Spaces)."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the ML demo/UI framework (Gradio) as managed, network-exposed software.",
+      "NIST-800-53-SC-7": "Boundary-protection control does not flag publicly reachable Gradio apps as a file-read / SSRF surface to host secrets.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the ML demo framework's file-serving routes as an access-control surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the ML demo framework as a privileged, internet-exposed surface.",
+      "DORA-Art-9": "ICT protection measures do not model file-read / SSRF in an ML demo framework leaking host secrets as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for directory containment on the ML framework's file routes.",
+      "AU-ISM-1546": "Patch-application control does not single out ML demo/UI frameworks.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the ML demo framework's file-serving / component routes as an untrusted-input access-control surface; a public Gradio app leaks host secrets (HF Spaces tokens)."
+    },
+    "atlas_refs": [
+      "AML.T0049",
+      "AML.T0055"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1083",
+      "T1005"
+    ],
+    "rwep_score": 31,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 31, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=26 (Gradio underpins Hugging Face Spaces and countless public ML demos) minus patch 15. Note: secret theft from internet-exposed apps raises operational urgency beyond the RWEP number.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-1561",
+    "cwe_refs": [
+      "CWE-22"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Requests to a public Gradio app's /component_server endpoint invoking move_resource_to_block_cache with attacker-controlled paths.",
+        "Gradio serving files from outside its temp/cache directory (e.g. /proc, app secrets, .env, HF Spaces secret mounts).",
+        "Anomalous reads of credential/secret files by the Gradio app process following inbound requests.",
+        "Gradio at an affected version (Gradio >= 4.12.0, < 4.13.0) reachable from untrusted networks — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from Horizon3.ai's research (https://horizon3.ai/attack-research/disclosures/exploiting-file-read-vulnerabilities-in-gradio-to-steal-secrets-from-hugging-face-spaces/), the Gradio GitHub security advisory (https://github.com/advisories/GHSA-g9cj-cfpp-4g2x), and NVD CVE-2024-1561 (CWE-22)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-1561",
+      "https://github.com/advisories/GHSA-g9cj-cfpp-4g2x",
+      "https://horizon3.ai/attack-research/disclosures/exploiting-file-read-vulnerabilities-in-gradio-to-steal-secrets-from-hugging-face-spaces/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-1561",
+        "url": "https://github.com/advisories/GHSA-g9cj-cfpp-4g2x",
+        "severity": "high",
+        "published_date": "2024-04-15"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-1561",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1561",
+        "severity": "high",
+        "published_date": "2024-04-15"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-22; NIST CVSS 7.5) + Horizon3.ai research + the gradio-app GitHub advisory. Member of the Gradio file-access family (Hugging Face Spaces secret theft).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Gradio's /component_server lets an unauthenticated caller invoke move_resource_to_block_cache() to read arbitrary host files (CWE-22), stealing Hugging Face Spaces secrets; fixed in 4.13.0."
+  },
+  "CVE-2023-51449": {
+    "name": "Gradio /file Route Path Traversal and SSRF Arbitrary File Read",
+    "type": "INFO-DISCLOSURE",
+    "cvss_score": 7.5,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+    "cvss_note": "NVD CVSS v3.1 base 7.5 (HIGH). A flawed containment check on the /file route allows path traversal outside the Gradio temp directory, and the route was also abusable for server-side request forgery (CWE-22 + SSRF).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Public exploitation research exists (Horizon3.ai 'Exploiting File Read Vulnerabilities in Gradio to Steal Secrets from Hugging Face Spaces'): an unauthenticated request to a public Gradio app reads arbitrary host files, including HF Spaces secrets.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Horizon3.ai. The abused surface is Gradio, the ML demo/UI framework behind Hugging Face Spaces and countless public ML demos.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; file-read / SSRF in the ML web framework.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Gradio before 4.11.0 (the /file route containment check; SSRF via download_temp_copy_if_needed affects 3.47–3.50.2). Fixed in 4.11.0.",
+    "affected_versions": [
+      "Gradio < 4.11.0"
+    ],
+    "vector": "Gradio's /file route was meant to serve only files under the temp directory, but the containment check was flawed, allowing path traversal to read arbitrary files on a publicly reachable Gradio app (CWE-22). The same route could be abused for full-read SSRF. Disclosed by Horizon3.ai.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N — unauthenticated, against a publicly reachable Gradio app.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading Gradio to 4.11.0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Gradio to 4.11.0 or later. Do not expose Gradio apps with sensitive host secrets to untrusted networks, run them least-privilege, and avoid storing secrets readable by the app process (relevant for Hugging Face Spaces)."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the ML demo/UI framework (Gradio) as managed, network-exposed software.",
+      "NIST-800-53-SC-7": "Boundary-protection control does not flag publicly reachable Gradio apps as a file-read / SSRF surface to host secrets.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the ML demo framework's file-serving routes as an access-control surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the ML demo framework as a privileged, internet-exposed surface.",
+      "DORA-Art-9": "ICT protection measures do not model file-read / SSRF in an ML demo framework leaking host secrets as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for directory containment on the ML framework's file routes.",
+      "AU-ISM-1546": "Patch-application control does not single out ML demo/UI frameworks.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the ML demo framework's file-serving / component routes as an untrusted-input access-control surface; a public Gradio app leaks host secrets (HF Spaces tokens)."
+    },
+    "atlas_refs": [
+      "AML.T0049",
+      "AML.T0055"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1083",
+      "T1005"
+    ],
+    "rwep_score": 31,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 31, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=26 (Gradio underpins Hugging Face Spaces and countless public ML demos) minus patch 15. Note: secret theft from internet-exposed apps raises operational urgency beyond the RWEP number.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2023-51449",
+    "cwe_refs": [
+      "CWE-22",
+      "CWE-918"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Requests to a public Gradio app's /file route containing path-traversal sequences or external URLs (SSRF).",
+        "Gradio serving files from outside its temp/cache directory (e.g. /proc, app secrets, .env, HF Spaces secret mounts).",
+        "Anomalous reads of credential/secret files by the Gradio app process following inbound requests.",
+        "Gradio at an affected version (Gradio < 4.11.0) reachable from untrusted networks — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from Horizon3.ai's research (https://horizon3.ai/attack-research/disclosures/exploiting-file-read-vulnerabilities-in-gradio-to-steal-secrets-from-hugging-face-spaces/), the Gradio GitHub security advisory (https://github.com/advisories/GHSA-6qm2-wpxq-7qh2), and NVD CVE-2023-51449 (CWE-22/CWE-918)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2023-51449",
+      "https://github.com/advisories/GHSA-6qm2-wpxq-7qh2",
+      "https://horizon3.ai/attack-research/disclosures/exploiting-file-read-vulnerabilities-in-gradio-to-steal-secrets-from-hugging-face-spaces/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2023-51449",
+        "url": "https://github.com/advisories/GHSA-6qm2-wpxq-7qh2",
+        "severity": "high",
+        "published_date": "2023-12-22"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2023-51449",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51449",
+        "severity": "high",
+        "published_date": "2023-12-22"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-22/CWE-918; NIST CVSS 7.5) + Horizon3.ai research + the gradio-app GitHub advisory. Member of the Gradio file-access family (Hugging Face Spaces secret theft).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Gradio's /file route containment check was flawed, allowing path traversal arbitrary file read (and SSRF) on a public Gradio app (CWE-22); fixed in 4.11.0."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json CHANGED Viewed

@@ -94,8 +94,12 @@
       "CVE-2021-43798",
       "CVE-2023-38950",
       "CVE-2023-43472",
+      "CVE-2023-51449",
       "CVE-2024-0769",
+      "CVE-2024-1561",
       "CVE-2024-1708",
+      "CVE-2024-37032",
+      "CVE-2024-39722",
       "CVE-2024-57728",
       "CVE-2024-7399",
       "CVE-2025-2749",
@@ -1832,6 +1836,7 @@
       "CVE-2021-39935",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-51449",
       "CVE-2025-61884"
     ],
     "framework_controls_partially_addressing": [

package/data/framework-control-gaps.json CHANGED Viewed

@@ -37,7 +37,11 @@
       "CVE-2022-1471",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-1561",
+      "CVE-2024-37032",
+      "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2024-50050",
@@ -1365,15 +1369,19 @@
       "CVE-2023-43000",
       "CVE-2023-43654",
       "CVE-2023-50224",
+      "CVE-2023-51449",
       "CVE-2023-52163",
       "CVE-2024-0769",
       "CVE-2024-11182",
       "CVE-2024-12987",
+      "CVE-2024-1561",
       "CVE-2024-1708",
       "CVE-2024-21762",
       "CVE-2024-27199",
       "CVE-2024-27443",
+      "CVE-2024-37032",
       "CVE-2024-37079",
+      "CVE-2024-39722",
       "CVE-2024-42009",
       "CVE-2024-42478",
       "CVE-2024-42479",
@@ -1774,7 +1782,11 @@
       "CVE-2022-1471",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-1561",
+      "CVE-2024-37032",
+      "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2024-50050",
@@ -2139,7 +2151,9 @@
     "opened_date": "2026-05-01",
     "evidence_cves": [
       "CVE-2023-48022",
+      "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-1561",
       "CVE-2024-40635",
       "CVE-2024-42478",
       "CVE-2024-42479",
@@ -2213,6 +2227,8 @@
     "status": "open",
     "opened_date": "2026-05-13",
     "evidence_cves": [
+      "CVE-2024-37032",
+      "CVE-2024-39722",
       "CVE-2024-50050",
       "CVE-2025-0133",
       "CVE-2025-1094",
@@ -2360,16 +2376,20 @@
       "CVE-2023-43000",
       "CVE-2023-43654",
       "CVE-2023-50224",
+      "CVE-2023-51449",
       "CVE-2023-52163",
       "CVE-2024-0132",
       "CVE-2024-0769",
       "CVE-2024-11182",
       "CVE-2024-12987",
+      "CVE-2024-1561",
       "CVE-2024-1708",
       "CVE-2024-21762",
       "CVE-2024-27199",
       "CVE-2024-27443",
+      "CVE-2024-37032",
       "CVE-2024-37079",
+      "CVE-2024-39722",
       "CVE-2024-42009",
       "CVE-2024-42478",
       "CVE-2024-42479",
@@ -4846,8 +4866,12 @@
       "CVE-2022-1471",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-1561",
       "CVE-2024-21762",
+      "CVE-2024-37032",
+      "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2024-50050",
@@ -5369,8 +5393,12 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
+      "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-1561",
       "CVE-2024-21762",
+      "CVE-2024-37032",
+      "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2024-50050",
@@ -5435,8 +5463,12 @@
       "CVE-2022-1471",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-1561",
       "CVE-2024-21762",
+      "CVE-2024-37032",
+      "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2024-50050",