@blamejs/exceptd-skills 0.13.95 → 0.13.97

package/data/framework-control-gaps.json

@@ -51,7 +51,9 @@
       "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
+      "CVE-2024-4889",
       "CVE-2024-50050",
+      "CVE-2024-6587",
       "CVE-2025-1550",
       "CVE-2025-1753",
       "CVE-2025-23254",
@@ -64,6 +66,7 @@
       "CVE-2025-54136",
       "CVE-2025-60455",
       "CVE-2025-64496",
+      "CVE-2025-64513",
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-22252",
@@ -74,6 +77,7 @@
       "CVE-2026-24214",
       "CVE-2026-24215",
       "CVE-2026-26015",
+      "CVE-2026-26190",
       "CVE-2026-30616",
       "CVE-2026-30617",
       "CVE-2026-30624",
@@ -1410,11 +1414,13 @@
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2024-43468",
+      "CVE-2024-4889",
       "CVE-2024-50050",
       "CVE-2024-54085",
       "CVE-2024-56145",
       "CVE-2024-57726",
       "CVE-2024-57728",
+      "CVE-2024-6587",
       "CVE-2024-7399",
       "CVE-2024-7694",
       "CVE-2024-8068",
@@ -1547,6 +1553,7 @@
       "CVE-2025-64328",
       "CVE-2025-64446",
       "CVE-2025-64496",
+      "CVE-2025-64513",
       "CVE-2025-6543",
       "CVE-2025-6554",
       "CVE-2025-6558",
@@ -1602,6 +1609,7 @@
       "CVE-2026-25108",
       "CVE-2026-25592",
       "CVE-2026-26015",
+      "CVE-2026-26190",
       "CVE-2026-3055",
       "CVE-2026-30616",
       "CVE-2026-30617",
@@ -1828,7 +1836,9 @@
       "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
+      "CVE-2024-4889",
       "CVE-2024-50050",
+      "CVE-2024-6587",
       "CVE-2025-10585",
       "CVE-2025-1094",
       "CVE-2025-14174",
@@ -1846,6 +1856,7 @@
       "CVE-2025-54136",
       "CVE-2025-60455",
       "CVE-2025-64496",
+      "CVE-2025-64513",
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-22252",
@@ -1857,6 +1868,7 @@
       "CVE-2026-24215",
       "CVE-2026-25592",
       "CVE-2026-26015",
+      "CVE-2026-26190",
       "CVE-2026-30616",
       "CVE-2026-30617",
       "CVE-2026-30624",
@@ -2463,11 +2475,13 @@
       "CVE-2024-42478",
       "CVE-2024-42479",
       "CVE-2024-43468",
+      "CVE-2024-4889",
       "CVE-2024-50050",
       "CVE-2024-54085",
       "CVE-2024-56145",
       "CVE-2024-57726",
       "CVE-2024-57728",
+      "CVE-2024-6587",
       "CVE-2024-7399",
       "CVE-2024-7694",
       "CVE-2024-8068",
@@ -2606,6 +2620,7 @@
       "CVE-2025-64328",
       "CVE-2025-64446",
       "CVE-2025-64496",
+      "CVE-2025-64513",
       "CVE-2025-6543",
       "CVE-2025-6554",
       "CVE-2025-6558",
@@ -2663,6 +2678,7 @@
       "CVE-2026-25108",
       "CVE-2026-25592",
       "CVE-2026-26015",
+      "CVE-2026-26190",
       "CVE-2026-3055",
       "CVE-2026-30616",
       "CVE-2026-30617",
@@ -3729,8 +3745,12 @@
       "CVE-2022-1471",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2024-4889",
+      "CVE-2024-6587",
+      "CVE-2025-64513",
       "CVE-2026-24206",
-      "CVE-2026-24207"
+      "CVE-2026-24207",
+      "CVE-2026-26190"
     ],
     "atlas_refs": [
       "AML.T0010",
@@ -4958,7 +4978,9 @@
       "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
+      "CVE-2024-4889",
       "CVE-2024-50050",
+      "CVE-2024-6587",
       "CVE-2025-1550",
       "CVE-2025-1753",
       "CVE-2025-23254",
@@ -4971,6 +4993,7 @@
       "CVE-2025-54136",
       "CVE-2025-60455",
       "CVE-2025-64496",
+      "CVE-2025-64513",
       "CVE-2025-8747",
       "CVE-2026-0300",
       "CVE-2026-0766",
@@ -4984,6 +5007,7 @@
       "CVE-2026-24215",
       "CVE-2026-25592",
       "CVE-2026-26015",
+      "CVE-2026-26190",
       "CVE-2026-30616",
       "CVE-2026-30617",
       "CVE-2026-30624",
@@ -5585,7 +5609,9 @@
       "CVE-2024-39722",
       "CVE-2024-42478",
       "CVE-2024-42479",
+      "CVE-2024-4889",
       "CVE-2024-50050",
+      "CVE-2024-6587",
       "CVE-2025-1550",
       "CVE-2025-1753",
       "CVE-2025-23254",
@@ -5598,6 +5624,7 @@
       "CVE-2025-54136",
       "CVE-2025-60455",
       "CVE-2025-64496",
+      "CVE-2025-64513",
       "CVE-2025-8747",
       "CVE-2026-0766",
       "CVE-2026-22252",
@@ -5609,6 +5636,7 @@
       "CVE-2026-24215",
       "CVE-2026-25592",
       "CVE-2026-26015",
+      "CVE-2026-26190",
       "CVE-2026-30616",
       "CVE-2026-30617",
       "CVE-2026-30624",
@@ -5895,9 +5923,13 @@
       "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2024-1709",
+      "CVE-2024-4889",
+      "CVE-2024-6587",
+      "CVE-2025-64513",
       "CVE-2026-20182",
       "CVE-2026-24206",
-      "CVE-2026-24207"
+      "CVE-2026-24207",
+      "CVE-2026-26190"
     ],
     "atlas_refs": [],
     "attack_refs": [

package/data/zeroday-lessons.json

@@ -4111,6 +4111,206 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2024-6587": {
+    "name": "BerriAI LiteLLM api_base SSRF API-Key Interception",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "BerriAI LiteLLM (CWE-918 SSRF via user-supplied api_base) on the LLM proxy/gateway forwards the gateway's configured provider API key to an attacker-supplied api_base, leaking the keys it holds.",
+      "privileges_required": "none (NVD PR:N) - a request parameter",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the LLM proxy/gateway - the shared chokepoint that holds provider API keys for many models and teams. The lesson: an LLM gateway is a high-value credential store, so its request and config planes must be isolated from the secrets (allow-list egress, no dynamic evaluation of config), or a single SSRF / config flaw becomes mass key theft or proxy RCE. CVE-2024-6587 was the SSRF link of a Pwn2Own full-chain RCE against LiteLLM."
+    },
+    "framework_coverage": {
+      "NIST-800-53-IA-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Authenticator (API key) management does not isolate the gateway's stored provider keys from request-controlled egress."
+      },
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the LLM proxy/gateway as managed, credential-bearing software."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the LLM gateway as a high-value credential store whose request/config plane must be isolated from the secrets."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "LLM gateways concentrate provider keys but are deployed as convenience infrastructure; their request/config planes are not isolated from the credential store.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-013",
+        "name": "AI-GATEWAY-CREDENTIAL-STORE-ISOLATION",
+        "description": "The LLM proxy/gateway must isolate its stored provider credentials from request- and config-controlled flows: allow-list permitted provider endpoints (reject attacker-supplied api_base), never forward stored keys to unvalidated destinations, disable dynamic evaluation of configuration, and keep the admin/config surface off untrusted networks. Upgrade BerriAI LiteLLM to a patched release (1.44.8+). The distinguishing test: send a /chat/completions request with an attacker api_base, and an admin config with a remote UI_LOGO_PATH, to a staging gateway and confirm no key egress and no code execution.",
+        "evidence": "https://github.com/advisories/GHSA-g26j-5385-hhw3",
+        "gap_closes": [
+          "NIST-800-53-IA-2",
+          "NIST-800-53-SI-2",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-64513": {
+    "name": "Milvus Proxy Authentication Bypass via Forged Headers",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Milvus (CWE-287 forged-header auth bypass in the Proxy) lets an unauthenticated network attacker reach the vector database's operations and data, bypassing authentication.",
+      "privileges_required": "none (NVD/CNA AV:N / PR:N) - unauthenticated",
+      "complexity": "low (AC:L)",
+      "ai_factor": "The abused surface is the vector database - the RAG persistence layer that stores embeddings and the source documents (often PII) behind LLM applications. The lesson: vector databases are sensitive data stores, not caches; every API/management port (including metrics ports like 9091) must authenticate, default tokens must be replaced, and the DB must not be network-exposed. An auth bypass here exposes RAG data and enables retrieval poisoning."
+    },
+    "framework_coverage": {
+      "NIST-800-53-IA-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Authentication is not enforced on the vector database's API/management surface."
+      },
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the vector database (RAG persistence layer) as managed, auth-bypass-bearing software."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the vector database as a sensitive RAG data store whose API/management ports must authenticate."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Vector databases are deployed as convenience RAG infrastructure on trusted-network assumptions, often with default tokens and exposed management ports.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-101",
+        "name": "VECTOR-DB-AUTHENTICATION-ENFORCEMENT",
+        "description": "A vector database storing RAG embeddings and source data must enforce authentication on every API and management/metrics port (including ports like Milvus 9091), reject forged/missing auth, replace default tokens, and never be exposed to untrusted networks. Upgrade Milvus to a patched release (2.4.24 / 2.5.21 / 2.6.5). The distinguishing test: from an unauthenticated client, attempt forged-header access to the Proxy and direct access to the metrics/management port on a staging instance and confirm both are refused.",
+        "evidence": "https://github.com/milvus-io/milvus/security/advisories/GHSA-mhjq-8c7m-3f7p",
+        "gap_closes": [
+          "NIST-800-53-IA-2",
+          "NIST-800-53-SI-2",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-26190": {
+    "name": "Milvus Port 9091 Missing Authentication / Weak Default Token",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Milvus (CWE-306 missing authentication on port 9091 with weak default tokens) lets an unauthenticated network attacker reach the vector database's operations and data, bypassing authentication.",
+      "privileges_required": "none (NVD/CNA AV:N / PR:N) - unauthenticated",
+      "complexity": "low (AC:L)",
+      "ai_factor": "The abused surface is the vector database - the RAG persistence layer that stores embeddings and the source documents (often PII) behind LLM applications. The lesson: vector databases are sensitive data stores, not caches; every API/management port (including metrics ports like 9091) must authenticate, default tokens must be replaced, and the DB must not be network-exposed. An auth bypass here exposes RAG data and enables retrieval poisoning."
+    },
+    "framework_coverage": {
+      "NIST-800-53-IA-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Authentication is not enforced on the vector database's API/management surface."
+      },
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the vector database (RAG persistence layer) as managed, auth-bypass-bearing software."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the vector database as a sensitive RAG data store whose API/management ports must authenticate."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Vector databases are deployed as convenience RAG infrastructure on trusted-network assumptions, often with default tokens and exposed management ports.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-101",
+        "name": "VECTOR-DB-AUTHENTICATION-ENFORCEMENT",
+        "description": "A vector database storing RAG embeddings and source data must enforce authentication on every API and management/metrics port (including ports like Milvus 9091), reject forged/missing auth, replace default tokens, and never be exposed to untrusted networks. Upgrade Milvus to a patched release (2.5.27 / 2.6.10). The distinguishing test: from an unauthenticated client, attempt forged-header access to the Proxy and direct access to the metrics/management port on a staging instance and confirm both are refused.",
+        "evidence": "https://github.com/milvus-io/milvus/security/advisories/GHSA-7ppg-37fh-vcr6",
+        "gap_closes": [
+          "NIST-800-53-IA-2",
+          "NIST-800-53-SI-2",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-4889": {
+    "name": "BerriAI LiteLLM Config Code Injection via UI_LOGO_PATH / KMS",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "BerriAI LiteLLM (CWE-94 code injection via the secret-management config path) on the LLM proxy/gateway lets admin-influenced config reach a dynamic-evaluation path and execute code on the credential-bearing proxy.",
+      "privileges_required": "admin-level config influence (NVD PR:H)",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the LLM proxy/gateway - the shared chokepoint that holds provider API keys for many models and teams. The lesson: an LLM gateway is a high-value credential store, so its request and config planes must be isolated from the secrets (allow-list egress, no dynamic evaluation of config), or a single SSRF / config flaw becomes mass key theft or proxy RCE. CVE-2024-6587 was the SSRF link of a Pwn2Own full-chain RCE against LiteLLM."
+    },
+    "framework_coverage": {
+      "NIST-800-53-IA-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Authenticator (API key) management does not isolate the gateway's stored provider keys from request-controlled egress."
+      },
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the LLM proxy/gateway as managed, credential-bearing software."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the LLM gateway as a high-value credential store whose request/config plane must be isolated from the secrets."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "LLM gateways concentrate provider keys but are deployed as convenience infrastructure; their request/config planes are not isolated from the credential store.",
+      "theater_pattern": "ai_supply_chain_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-013",
+        "name": "AI-GATEWAY-CREDENTIAL-STORE-ISOLATION",
+        "description": "The LLM proxy/gateway must isolate its stored provider credentials from request- and config-controlled flows: allow-list permitted provider endpoints (reject attacker-supplied api_base), never forward stored keys to unvalidated destinations, disable dynamic evaluation of configuration, and keep the admin/config surface off untrusted networks. Upgrade BerriAI LiteLLM to a patched release (1.44.16+). The distinguishing test: send a /chat/completions request with an attacker api_base, and an admin config with a remote UI_LOGO_PATH, to a staging gateway and confirm no key egress and no code execution.",
+        "evidence": "https://github.com/advisories/GHSA-423v-966v-frxg",
+        "gap_closes": [
+          "NIST-800-53-IA-2",
+          "NIST-800-53-SI-2",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2023-44467": {
     "name": "LangChain-Experimental PALChain dunder-import Code Execution (CVE-2023-36258 bypass)",
     "lesson_date": "2026-05-25",