@blamejs/exceptd-skills 0.13.86 → 0.13.88

package/data/cwe-catalog.json

@@ -94,7 +94,9 @@
       "CVE-2021-43798",
       "CVE-2023-38950",
       "CVE-2023-43472",
+      "CVE-2023-51449",
       "CVE-2024-0769",
+      "CVE-2024-1561",
       "CVE-2024-1708",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -1308,6 +1310,9 @@
     "evidence_cves": [
       "CVE-2022-1471",
       "CVE-2023-21529",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-50050",
       "CVE-2024-8069",
       "CVE-2025-10035",
@@ -1834,6 +1839,7 @@
       "CVE-2021-39935",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-51449",
       "CVE-2025-61884"
     ],
     "framework_controls_partially_addressing": [

package/data/framework-control-gaps.json

@@ -37,7 +37,12 @@
       "CVE-2022-1471",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
+      "CVE-2024-1561",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-42478",
@@ -1367,10 +1372,15 @@
       "CVE-2023-43000",
       "CVE-2023-43654",
       "CVE-2023-50224",
+      "CVE-2023-51449",
       "CVE-2023-52163",
       "CVE-2024-0769",
       "CVE-2024-11182",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-12987",
+      "CVE-2024-1561",
       "CVE-2024-1708",
       "CVE-2024-21762",
       "CVE-2024-27199",
@@ -1778,7 +1788,12 @@
       "CVE-2022-1471",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
+      "CVE-2024-1561",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-42478",
@@ -2145,7 +2160,9 @@
     "opened_date": "2026-05-01",
     "evidence_cves": [
       "CVE-2023-48022",
+      "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-1561",
       "CVE-2024-40635",
       "CVE-2024-42478",
       "CVE-2024-42479",
@@ -2219,6 +2236,9 @@
     "status": "open",
     "opened_date": "2026-05-13",
     "evidence_cves": [
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-50050",
@@ -2368,11 +2388,16 @@
       "CVE-2023-43000",
       "CVE-2023-43654",
       "CVE-2023-50224",
+      "CVE-2023-51449",
       "CVE-2023-52163",
       "CVE-2024-0132",
       "CVE-2024-0769",
       "CVE-2024-11182",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
       "CVE-2024-12987",
+      "CVE-2024-1561",
       "CVE-2024-1708",
       "CVE-2024-21762",
       "CVE-2024-27199",
@@ -4856,7 +4881,12 @@
       "CVE-2022-1471",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
+      "CVE-2024-1561",
       "CVE-2024-21762",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -5381,7 +5411,12 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
+      "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
+      "CVE-2024-1561",
       "CVE-2024-21762",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -5449,7 +5484,12 @@
       "CVE-2022-1471",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-51449",
       "CVE-2024-0132",
+      "CVE-2024-11392",
+      "CVE-2024-11393",
+      "CVE-2024-11394",
+      "CVE-2024-1561",
       "CVE-2024-21762",
       "CVE-2024-37032",
       "CVE-2024-39722",

package/data/zeroday-lessons.json

@@ -7433,6 +7433,256 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2024-1561": {
+    "name": "Gradio /component_server Local File Read (Hugging Face Spaces Secret Theft)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Gradio CWE-22 file read via the /component_server method-invocation endpoint: an unauthenticated request to a publicly reachable Gradio app reads arbitrary host files, including the secrets/tokens mounted into Hugging Face Spaces.",
+      "privileges_required": "none (NVD PR:N) — unauthenticated against a public Gradio app",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the ML demo/UI framework behind Hugging Face Spaces and countless public ML demos. The lesson: an ML app framework's file-serving and component routes are access-control surfaces — they must enforce directory containment and not expose arbitrary method invocation, and apps holding secrets must not be reachable by untrusted clients. Horizon3.ai demonstrated mass secret theft from HF Spaces."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the ML demo/UI framework (Gradio) as managed, network-exposed software."
+      },
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not flag publicly reachable Gradio apps as a file-read / SSRF surface to host secrets."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the ML demo framework's file/component routes as an untrusted-input access-control surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 72,
+      "basis": "Public ML demos (HF Spaces) are deployed with secrets readable by the app process and the framework treated as trusted; file-serving routes are not audited for containment.",
+      "theater_pattern": "ai_demo_framework_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-095",
+        "name": "AI-WEBUI-FILE-ROUTE-CONTAINMENT",
+        "description": "An ML demo/UI framework's file-serving routes must enforce strict directory containment (canonicalize and verify the resolved path stays under the allowed temp directory), must not expose arbitrary component-method invocation, and must not perform server-side fetches of attacker-supplied URLs (SSRF). Upgrade Gradio to 4.13.0 or later, keep secrets out of the app process's readable filesystem, and do not expose secret-bearing Gradio apps to untrusted networks (HF Spaces). The distinguishing test: from an unauthenticated client, request a path-traversal file and an external URL against a staging app and confirm both are refused.",
+        "evidence": "https://github.com/advisories/GHSA-g9cj-cfpp-4g2x",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SC-7",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-11392": {
+    "name": "Hugging Face Transformers MobileViTV2 Deserialization Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Hugging Face Transformers' MobileViTV2 loader deserializes untrusted configuration files without validation (CWE-502), so loading a malicious MobileViTV2 model/config executes attacker code in the user's process.",
+      "privileges_required": "none beyond getting a user to load an untrusted MobileViTV2 model/config (NVD UI:R)",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is a model loader in the foundational ML library (Hugging Face Transformers). The lesson is the same one the Keras CVEs teach at ecosystem scale: a model artifact is executable code at load time, so artifacts must be treated as untrusted (provenance, safe formats, sandboxed loading) — pulling from a model hub is a supply-chain trust decision, not a data fetch."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the foundational ML library's model loaders as RCE-bearing software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation is not applied to model artifacts/configs the library deserializes at load time."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML model artifact as untrusted executable input; loading one from an untrusted source through Transformers is RCE."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 73,
+      "basis": "ML pipelines pull models from hubs and treat them as data; the foundational library's loaders are assumed safe despite per-loader deserialization RCEs.",
+      "theater_pattern": "model_artifact_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load models/configs from untrusted sources, verify provenance, prefer safe formats (e.g. safetensors), and load untrusted models only in a sandboxed, network-isolated, least-privilege environment. Upgrade Hugging Face Transformers to 4.48.0 or later (which fixes the MobileViTV2 loader deserialization, CVE-2024-11392). The control is the same one that closes the Keras model-deserialization CVEs — the class is 'model file equals executable code', not a single loader. The distinguishing test: load an attacker-crafted MobileViTV2 artifact on a sandboxed instance and confirm no code executes.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2024-11392",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-11393": {
+    "name": "Hugging Face Transformers MaskFormer Deserialization Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Hugging Face Transformers' MaskFormer loader deserializes untrusted model files without validation (CWE-502), so loading a malicious MaskFormer model/config executes attacker code in the user's process.",
+      "privileges_required": "none beyond getting a user to load an untrusted MaskFormer model/config (NVD UI:R)",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is a model loader in the foundational ML library (Hugging Face Transformers). The lesson is the same one the Keras CVEs teach at ecosystem scale: a model artifact is executable code at load time, so artifacts must be treated as untrusted (provenance, safe formats, sandboxed loading) — pulling from a model hub is a supply-chain trust decision, not a data fetch."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the foundational ML library's model loaders as RCE-bearing software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation is not applied to model artifacts/configs the library deserializes at load time."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML model artifact as untrusted executable input; loading one from an untrusted source through Transformers is RCE."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 73,
+      "basis": "ML pipelines pull models from hubs and treat them as data; the foundational library's loaders are assumed safe despite per-loader deserialization RCEs.",
+      "theater_pattern": "model_artifact_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load models/configs from untrusted sources, verify provenance, prefer safe formats (e.g. safetensors), and load untrusted models only in a sandboxed, network-isolated, least-privilege environment. Upgrade Hugging Face Transformers to 4.48.0 or later (which fixes the MaskFormer loader deserialization, CVE-2024-11393). The control is the same one that closes the Keras model-deserialization CVEs — the class is 'model file equals executable code', not a single loader. The distinguishing test: load an attacker-crafted MaskFormer artifact on a sandboxed instance and confirm no code executes.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2024-11393",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-11394": {
+    "name": "Hugging Face Transformers Trax Deserialization Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Hugging Face Transformers' Trax loader deserializes untrusted model files without validation (CWE-502), so loading a malicious Trax model/config executes attacker code in the user's process.",
+      "privileges_required": "none beyond getting a user to load an untrusted Trax model/config (NVD UI:R)",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is a model loader in the foundational ML library (Hugging Face Transformers). The lesson is the same one the Keras CVEs teach at ecosystem scale: a model artifact is executable code at load time, so artifacts must be treated as untrusted (provenance, safe formats, sandboxed loading) — pulling from a model hub is a supply-chain trust decision, not a data fetch."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the foundational ML library's model loaders as RCE-bearing software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation is not applied to model artifacts/configs the library deserializes at load time."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML model artifact as untrusted executable input; loading one from an untrusted source through Transformers is RCE."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 73,
+      "basis": "ML pipelines pull models from hubs and treat them as data; the foundational library's loaders are assumed safe despite per-loader deserialization RCEs.",
+      "theater_pattern": "model_artifact_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load models/configs from untrusted sources, verify provenance, prefer safe formats (e.g. safetensors), and load untrusted models only in a sandboxed, network-isolated, least-privilege environment. Upgrade Hugging Face Transformers to 4.48.0 or later (which fixes the Trax loader deserialization, CVE-2024-11394). The control is the same one that closes the Keras model-deserialization CVEs — the class is 'model file equals executable code', not a single loader. The distinguishing test: load an attacker-crafted Trax artifact on a sandboxed instance and confirm no code executes.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2024-11394",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2023-51449": {
+    "name": "Gradio /file Route Path Traversal and SSRF Arbitrary File Read",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Gradio CWE-22 path traversal + SSRF on the /file route: an unauthenticated request to a publicly reachable Gradio app reads arbitrary host files, including the secrets/tokens mounted into Hugging Face Spaces.",
+      "privileges_required": "none (NVD PR:N) — unauthenticated against a public Gradio app",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the ML demo/UI framework behind Hugging Face Spaces and countless public ML demos. The lesson: an ML app framework's file-serving and component routes are access-control surfaces — they must enforce directory containment and not expose arbitrary method invocation, and apps holding secrets must not be reachable by untrusted clients. Horizon3.ai demonstrated mass secret theft from HF Spaces."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the ML demo/UI framework (Gradio) as managed, network-exposed software."
+      },
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not flag publicly reachable Gradio apps as a file-read / SSRF surface to host secrets."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the ML demo framework's file/component routes as an untrusted-input access-control surface."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Public ML demos (HF Spaces) are deployed with secrets readable by the app process and the framework treated as trusted; file-serving routes are not audited for containment.",
+      "theater_pattern": "ai_demo_framework_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-095",
+        "name": "AI-WEBUI-FILE-ROUTE-CONTAINMENT",
+        "description": "An ML demo/UI framework's file-serving routes must enforce strict directory containment (canonicalize and verify the resolved path stays under the allowed temp directory), must not expose arbitrary component-method invocation, and must not perform server-side fetches of attacker-supplied URLs (SSRF). Upgrade Gradio to 4.11.0 or later, keep secrets out of the app process's readable filesystem, and do not expose secret-bearing Gradio apps to untrusted networks (HF Spaces). The distinguishing test: from an unauthenticated client, request a path-traversal file and an external URL against a staging app and confirm both are refused.",
+        "evidence": "https://github.com/advisories/GHSA-6qm2-wpxq-7qh2",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SC-7",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2024-39722": {
     "name": "Ollama api/push Path Traversal File-Existence Disclosure",
     "lesson_date": "2026-05-25",