@blamejs/exceptd-skills 0.13.86 → 0.13.87

package/data/atlas-ttps.json

@@ -669,6 +669,8 @@
     "maturity": "moderate",
     "last_verified": "2026-05-19",
     "cve_refs": [
+      "CVE-2023-51449",
+      "CVE-2024-1561",
       "CVE-2026-42208",
       "MAL-2026-3083"
     ],
@@ -1705,6 +1707,8 @@
     "cve_refs": [
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-51449",
+      "CVE-2024-1561",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-42478",

package/data/attack-techniques.json

@@ -838,8 +838,10 @@
       "CVE-2023-39780",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-51449",
       "CVE-2023-52163",
       "CVE-2024-12987",
+      "CVE-2024-1561",
       "CVE-2024-1709",
       "CVE-2024-21762",
       "CVE-2024-37032",
@@ -2429,6 +2431,8 @@
     "version": "v19",
     "cve_refs": [
       "CVE-2023-36424",
+      "CVE-2023-51449",
+      "CVE-2024-1561",
       "CVE-2025-14847",
       "CVE-2025-22226",
       "CVE-2025-47813",
@@ -3512,6 +3516,8 @@
     "stix_id": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
     "is_subtechnique": false,
     "cve_refs": [
+      "CVE-2023-51449",
+      "CVE-2024-1561",
       "CVE-2024-39722",
       "CVE-2026-34926"
     ]

package/data/cve-catalog.json

@@ -12766,6 +12766,219 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Ollama's api/push route path traversal (CWE-22) lets an unauthenticated attacker disclose file existence on the host; fixed in 0.1.46."
   },
+  "CVE-2024-1561": {
+    "name": "Gradio /component_server Local File Read (Hugging Face Spaces Secret Theft)",
+    "type": "INFO-DISCLOSURE",
+    "cvss_score": 7.5,
+    "cvss_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+    "cvss_note": "NVD CVSS v3.0 base 7.5 (HIGH). NVD assigns CWE-29 (a path-traversal variant); the parent class is CWE-22. The /component_server endpoint invokes any Component method with attacker-controlled arguments, abused via move_resource_to_block_cache() to read host files.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Public exploitation research exists (Horizon3.ai 'Exploiting File Read Vulnerabilities in Gradio to Steal Secrets from Hugging Face Spaces'): an unauthenticated request to a public Gradio app reads arbitrary host files, including HF Spaces secrets.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Horizon3.ai. The abused surface is Gradio, the ML demo/UI framework behind Hugging Face Spaces and countless public ML demos.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; file-read / SSRF in the ML web framework.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Gradio 4.12.0 up to but excluding 4.13.0 (fixed in 4.13.0).",
+    "affected_versions": [
+      "Gradio >= 4.12.0, < 4.13.0"
+    ],
+    "vector": "Gradio's /component_server endpoint permits invoking arbitrary methods on a Component class with attacker-controlled arguments. An unauthenticated request invokes move_resource_to_block_cache() to copy an arbitrary host file into the served cache and read it (path traversal, CWE-22). On Hugging Face Spaces this reads secrets/tokens from the host. Disclosed by Horizon3.ai.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N — unauthenticated, against a publicly reachable Gradio app.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading Gradio to 4.13.0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Gradio to 4.13.0 or later. Do not expose Gradio apps with sensitive host secrets to untrusted networks, run them least-privilege, and avoid storing secrets readable by the app process (relevant for Hugging Face Spaces)."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the ML demo/UI framework (Gradio) as managed, network-exposed software.",
+      "NIST-800-53-SC-7": "Boundary-protection control does not flag publicly reachable Gradio apps as a file-read / SSRF surface to host secrets.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the ML demo framework's file-serving routes as an access-control surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the ML demo framework as a privileged, internet-exposed surface.",
+      "DORA-Art-9": "ICT protection measures do not model file-read / SSRF in an ML demo framework leaking host secrets as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for directory containment on the ML framework's file routes.",
+      "AU-ISM-1546": "Patch-application control does not single out ML demo/UI frameworks.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the ML demo framework's file-serving / component routes as an untrusted-input access-control surface; a public Gradio app leaks host secrets (HF Spaces tokens)."
+    },
+    "atlas_refs": [
+      "AML.T0049",
+      "AML.T0055"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1083",
+      "T1005"
+    ],
+    "rwep_score": 31,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 31, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=26 (Gradio underpins Hugging Face Spaces and countless public ML demos) minus patch 15. Note: secret theft from internet-exposed apps raises operational urgency beyond the RWEP number.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-1561",
+    "cwe_refs": [
+      "CWE-22"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Requests to a public Gradio app's /component_server endpoint invoking move_resource_to_block_cache with attacker-controlled paths.",
+        "Gradio serving files from outside its temp/cache directory (e.g. /proc, app secrets, .env, HF Spaces secret mounts).",
+        "Anomalous reads of credential/secret files by the Gradio app process following inbound requests.",
+        "Gradio at an affected version (Gradio >= 4.12.0, < 4.13.0) reachable from untrusted networks — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from Horizon3.ai's research (https://horizon3.ai/attack-research/disclosures/exploiting-file-read-vulnerabilities-in-gradio-to-steal-secrets-from-hugging-face-spaces/), the Gradio GitHub security advisory (https://github.com/advisories/GHSA-g9cj-cfpp-4g2x), and NVD CVE-2024-1561 (CWE-22)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-1561",
+      "https://github.com/advisories/GHSA-g9cj-cfpp-4g2x",
+      "https://horizon3.ai/attack-research/disclosures/exploiting-file-read-vulnerabilities-in-gradio-to-steal-secrets-from-hugging-face-spaces/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-1561",
+        "url": "https://github.com/advisories/GHSA-g9cj-cfpp-4g2x",
+        "severity": "high",
+        "published_date": "2024-04-15"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-1561",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1561",
+        "severity": "high",
+        "published_date": "2024-04-15"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-22; NIST CVSS 7.5) + Horizon3.ai research + the gradio-app GitHub advisory. Member of the Gradio file-access family (Hugging Face Spaces secret theft).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Gradio's /component_server lets an unauthenticated caller invoke move_resource_to_block_cache() to read arbitrary host files (CWE-22), stealing Hugging Face Spaces secrets; fixed in 4.13.0."
+  },
+  "CVE-2023-51449": {
+    "name": "Gradio /file Route Path Traversal and SSRF Arbitrary File Read",
+    "type": "INFO-DISCLOSURE",
+    "cvss_score": 7.5,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+    "cvss_note": "NVD CVSS v3.1 base 7.5 (HIGH). A flawed containment check on the /file route allows path traversal outside the Gradio temp directory, and the route was also abusable for server-side request forgery (CWE-22 + SSRF).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Public exploitation research exists (Horizon3.ai 'Exploiting File Read Vulnerabilities in Gradio to Steal Secrets from Hugging Face Spaces'): an unauthenticated request to a public Gradio app reads arbitrary host files, including HF Spaces secrets.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Horizon3.ai. The abused surface is Gradio, the ML demo/UI framework behind Hugging Face Spaces and countless public ML demos.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; file-read / SSRF in the ML web framework.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Gradio before 4.11.0 (the /file route containment check; SSRF via download_temp_copy_if_needed affects 3.47–3.50.2). Fixed in 4.11.0.",
+    "affected_versions": [
+      "Gradio < 4.11.0"
+    ],
+    "vector": "Gradio's /file route was meant to serve only files under the temp directory, but the containment check was flawed, allowing path traversal to read arbitrary files on a publicly reachable Gradio app (CWE-22). The same route could be abused for full-read SSRF. Disclosed by Horizon3.ai.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N — unauthenticated, against a publicly reachable Gradio app.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading Gradio to 4.11.0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Gradio to 4.11.0 or later. Do not expose Gradio apps with sensitive host secrets to untrusted networks, run them least-privilege, and avoid storing secrets readable by the app process (relevant for Hugging Face Spaces)."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the ML demo/UI framework (Gradio) as managed, network-exposed software.",
+      "NIST-800-53-SC-7": "Boundary-protection control does not flag publicly reachable Gradio apps as a file-read / SSRF surface to host secrets.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the ML demo framework's file-serving routes as an access-control surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the ML demo framework as a privileged, internet-exposed surface.",
+      "DORA-Art-9": "ICT protection measures do not model file-read / SSRF in an ML demo framework leaking host secrets as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for directory containment on the ML framework's file routes.",
+      "AU-ISM-1546": "Patch-application control does not single out ML demo/UI frameworks.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the ML demo framework's file-serving / component routes as an untrusted-input access-control surface; a public Gradio app leaks host secrets (HF Spaces tokens)."
+    },
+    "atlas_refs": [
+      "AML.T0049",
+      "AML.T0055"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1083",
+      "T1005"
+    ],
+    "rwep_score": 31,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 31, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=26 (Gradio underpins Hugging Face Spaces and countless public ML demos) minus patch 15. Note: secret theft from internet-exposed apps raises operational urgency beyond the RWEP number.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2023-51449",
+    "cwe_refs": [
+      "CWE-22",
+      "CWE-918"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Requests to a public Gradio app's /file route containing path-traversal sequences or external URLs (SSRF).",
+        "Gradio serving files from outside its temp/cache directory (e.g. /proc, app secrets, .env, HF Spaces secret mounts).",
+        "Anomalous reads of credential/secret files by the Gradio app process following inbound requests.",
+        "Gradio at an affected version (Gradio < 4.11.0) reachable from untrusted networks — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from Horizon3.ai's research (https://horizon3.ai/attack-research/disclosures/exploiting-file-read-vulnerabilities-in-gradio-to-steal-secrets-from-hugging-face-spaces/), the Gradio GitHub security advisory (https://github.com/advisories/GHSA-6qm2-wpxq-7qh2), and NVD CVE-2023-51449 (CWE-22/CWE-918)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2023-51449",
+      "https://github.com/advisories/GHSA-6qm2-wpxq-7qh2",
+      "https://horizon3.ai/attack-research/disclosures/exploiting-file-read-vulnerabilities-in-gradio-to-steal-secrets-from-hugging-face-spaces/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2023-51449",
+        "url": "https://github.com/advisories/GHSA-6qm2-wpxq-7qh2",
+        "severity": "high",
+        "published_date": "2023-12-22"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2023-51449",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51449",
+        "severity": "high",
+        "published_date": "2023-12-22"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-22/CWE-918; NIST CVSS 7.5) + Horizon3.ai research + the gradio-app GitHub advisory. Member of the Gradio file-access family (Hugging Face Spaces secret theft).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Gradio's /file route containment check was flawed, allowing path traversal arbitrary file read (and SSRF) on a public Gradio app (CWE-22); fixed in 4.11.0."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -94,7 +94,9 @@
       "CVE-2021-43798",
       "CVE-2023-38950",
       "CVE-2023-43472",
+      "CVE-2023-51449",
       "CVE-2024-0769",
+      "CVE-2024-1561",
       "CVE-2024-1708",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -1834,6 +1836,7 @@
       "CVE-2021-39935",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-51449",
       "CVE-2025-61884"
     ],
     "framework_controls_partially_addressing": [

package/data/framework-control-gaps.json

@@ -37,7 +37,9 @@
       "CVE-2022-1471",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-1561",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-42478",
@@ -1367,10 +1369,12 @@
       "CVE-2023-43000",
       "CVE-2023-43654",
       "CVE-2023-50224",
+      "CVE-2023-51449",
       "CVE-2023-52163",
       "CVE-2024-0769",
       "CVE-2024-11182",
       "CVE-2024-12987",
+      "CVE-2024-1561",
       "CVE-2024-1708",
       "CVE-2024-21762",
       "CVE-2024-27199",
@@ -1778,7 +1782,9 @@
       "CVE-2022-1471",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-1561",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-42478",
@@ -2145,7 +2151,9 @@
     "opened_date": "2026-05-01",
     "evidence_cves": [
       "CVE-2023-48022",
+      "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-1561",
       "CVE-2024-40635",
       "CVE-2024-42478",
       "CVE-2024-42479",
@@ -2368,11 +2376,13 @@
       "CVE-2023-43000",
       "CVE-2023-43654",
       "CVE-2023-50224",
+      "CVE-2023-51449",
       "CVE-2023-52163",
       "CVE-2024-0132",
       "CVE-2024-0769",
       "CVE-2024-11182",
       "CVE-2024-12987",
+      "CVE-2024-1561",
       "CVE-2024-1708",
       "CVE-2024-21762",
       "CVE-2024-27199",
@@ -4856,7 +4866,9 @@
       "CVE-2022-1471",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-1561",
       "CVE-2024-21762",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -5381,7 +5393,9 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
+      "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-1561",
       "CVE-2024-21762",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -5449,7 +5463,9 @@
       "CVE-2022-1471",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-1561",
       "CVE-2024-21762",
       "CVE-2024-37032",
       "CVE-2024-39722",

package/data/zeroday-lessons.json

@@ -7433,6 +7433,106 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2024-1561": {
+    "name": "Gradio /component_server Local File Read (Hugging Face Spaces Secret Theft)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Gradio CWE-22 file read via the /component_server method-invocation endpoint: an unauthenticated request to a publicly reachable Gradio app reads arbitrary host files, including the secrets/tokens mounted into Hugging Face Spaces.",
+      "privileges_required": "none (NVD PR:N) — unauthenticated against a public Gradio app",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the ML demo/UI framework behind Hugging Face Spaces and countless public ML demos. The lesson: an ML app framework's file-serving and component routes are access-control surfaces — they must enforce directory containment and not expose arbitrary method invocation, and apps holding secrets must not be reachable by untrusted clients. Horizon3.ai demonstrated mass secret theft from HF Spaces."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the ML demo/UI framework (Gradio) as managed, network-exposed software."
+      },
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not flag publicly reachable Gradio apps as a file-read / SSRF surface to host secrets."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the ML demo framework's file/component routes as an untrusted-input access-control surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 72,
+      "basis": "Public ML demos (HF Spaces) are deployed with secrets readable by the app process and the framework treated as trusted; file-serving routes are not audited for containment.",
+      "theater_pattern": "ai_demo_framework_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-095",
+        "name": "AI-WEBUI-FILE-ROUTE-CONTAINMENT",
+        "description": "An ML demo/UI framework's file-serving routes must enforce strict directory containment (canonicalize and verify the resolved path stays under the allowed temp directory), must not expose arbitrary component-method invocation, and must not perform server-side fetches of attacker-supplied URLs (SSRF). Upgrade Gradio to 4.13.0 or later, keep secrets out of the app process's readable filesystem, and do not expose secret-bearing Gradio apps to untrusted networks (HF Spaces). The distinguishing test: from an unauthenticated client, request a path-traversal file and an external URL against a staging app and confirm both are refused.",
+        "evidence": "https://github.com/advisories/GHSA-g9cj-cfpp-4g2x",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SC-7",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2023-51449": {
+    "name": "Gradio /file Route Path Traversal and SSRF Arbitrary File Read",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Gradio CWE-22 path traversal + SSRF on the /file route: an unauthenticated request to a publicly reachable Gradio app reads arbitrary host files, including the secrets/tokens mounted into Hugging Face Spaces.",
+      "privileges_required": "none (NVD PR:N) — unauthenticated against a public Gradio app",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the ML demo/UI framework behind Hugging Face Spaces and countless public ML demos. The lesson: an ML app framework's file-serving and component routes are access-control surfaces — they must enforce directory containment and not expose arbitrary method invocation, and apps holding secrets must not be reachable by untrusted clients. Horizon3.ai demonstrated mass secret theft from HF Spaces."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the ML demo/UI framework (Gradio) as managed, network-exposed software."
+      },
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not flag publicly reachable Gradio apps as a file-read / SSRF surface to host secrets."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the ML demo framework's file/component routes as an untrusted-input access-control surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Public ML demos (HF Spaces) are deployed with secrets readable by the app process and the framework treated as trusted; file-serving routes are not audited for containment.",
+      "theater_pattern": "ai_demo_framework_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-095",
+        "name": "AI-WEBUI-FILE-ROUTE-CONTAINMENT",
+        "description": "An ML demo/UI framework's file-serving routes must enforce strict directory containment (canonicalize and verify the resolved path stays under the allowed temp directory), must not expose arbitrary component-method invocation, and must not perform server-side fetches of attacker-supplied URLs (SSRF). Upgrade Gradio to 4.11.0 or later, keep secrets out of the app process's readable filesystem, and do not expose secret-bearing Gradio apps to untrusted networks (HF Spaces). The distinguishing test: from an unauthenticated client, request a path-traversal file and an external URL against a staging app and confirm both are refused.",
+        "evidence": "https://github.com/advisories/GHSA-6qm2-wpxq-7qh2",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SC-7",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2024-39722": {
     "name": "Ollama api/push Path Traversal File-Existence Disclosure",
     "lesson_date": "2026-05-25",