@blamejs/exceptd-skills 0.13.98 → 0.13.99

package/data/atlas-ttps.json

@@ -144,11 +144,13 @@
     "last_verified": "2026-05-19",
     "cve_refs": [
       "CVE-2023-43654",
+      "CVE-2024-0129",
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
       "CVE-2024-37032",
       "CVE-2025-1550",
+      "CVE-2025-33236",
       "CVE-2025-8747",
       "CVE-2026-22778",
       "CVE-2026-30615",
@@ -1273,11 +1275,13 @@
     "last_verified": "2026-05-19",
     "cve_refs": [
       "CVE-2023-44467",
+      "CVE-2024-0129",
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
       "CVE-2024-21513",
       "CVE-2025-1550",
+      "CVE-2025-33236",
       "CVE-2025-8747",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG"
     ],
@@ -2832,10 +2836,12 @@
     "is_subtechnique": true,
     "cve_refs": [
       "CVE-2022-1471",
+      "CVE-2024-0129",
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
       "CVE-2025-1550",
+      "CVE-2025-33236",
       "CVE-2025-8747"
     ]
   },

package/data/attack-techniques.json

@@ -277,6 +277,7 @@
       "CVE-2023-44467",
       "CVE-2023-48022",
       "CVE-2023-6019",
+      "CVE-2024-0129",
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
@@ -295,6 +296,7 @@
       "CVE-2025-23254",
       "CVE-2025-30165",
       "CVE-2025-32444",
+      "CVE-2025-33236",
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-53773",
@@ -1120,11 +1122,13 @@
     "name": "Supply Chain Compromise: Software Supply Chain",
     "version": "v19",
     "cve_refs": [
+      "CVE-2024-0129",
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
       "CVE-2024-3094",
       "CVE-2025-1550",
+      "CVE-2025-33236",
       "CVE-2025-8747",
       "CVE-2026-45321",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG",
@@ -4303,10 +4307,12 @@
     "stix_id": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
     "is_subtechnique": false,
     "cve_refs": [
+      "CVE-2024-0129",
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
       "CVE-2025-1550",
+      "CVE-2025-33236",
       "CVE-2025-8747"
     ]
   },

package/data/cve-catalog.json

@@ -15169,6 +15169,218 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Anyscale Ray's dashboard log API allows path traversal to read any file on the host without authentication (CWE-22 LFI); fixed in 2.8.1."
   },
+  "CVE-2025-33236": {
+    "name": "NVIDIA NeMo Framework Malicious Model Import Code Injection RCE",
+    "type": "RCE",
+    "cvss_score": 7.8,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "CNA (NVIDIA) CVSS v3.1 base 7.8 (HIGH); NVD has not published its own assessed score. Importing a malicious AI model causes code injection (CWE-94) - NeMo silently executes attacker-controlled code with no warning. Disclosed by Cato CTRL.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the NVIDIA NeMo security bulletin and Cato CTRL research ('New Vulnerabilities in NVIDIA NeMo and Meta PyTorch Enable Full System Compromise'): loading/importing a maliciously crafted NeMo model triggers code injection in the importing process.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via NVIDIA's NeMo security bulletins (Cato CTRL research). NeMo is NVIDIA's LLM training/customization framework; the abused surface is its model-import/load path.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; an untrusted model artifact executing code on load.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Vendor/researcher disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "NVIDIA NeMo Framework before 2.6.1.",
+    "affected_versions": [
+      "NVIDIA NeMo Framework < 2.6.1"
+    ],
+    "vector": "NVIDIA NeMo Framework deserializes / loads an imported AI model without validation, so a maliciously crafted model triggers code injection (CWE-94) and executes attacker code in the importing process - the canonical 'model file is executable code' class, here in NVIDIA's LLM training/customization framework.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:L / AC:L - local context; the precondition is loading an untrusted NeMo model.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading NVIDIA NeMo to 2.6.1 or later; no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade NVIDIA NeMo to 2.6.1 or later, and only load NeMo models from trusted sources (verify provenance; load untrusted models sandboxed)."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the LLM training/customization framework's model-load path as managed, RCE-bearing software.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to imported model artifacts/archives that NeMo deserializes or extracts.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the model-import path of an LLM framework as a code-execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach LLM-framework model loading as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model untrusted-model-artifact loading in an LLM framework as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for treating NeMo model artifacts as untrusted code.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM training/customization frameworks.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML model artifact as untrusted executable input; loading an untrusted NeMo model is RCE."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 27,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 22,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 27, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=22 (NeMo is NVIDIA's widely used LLM framework) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-33236",
+    "cwe_refs": [
+      "CWE-94"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Python subprocess / interpreter activity during NeMo model import / SaveRestoreConnector load of an externally sourced model.",
+        "An imported NeMo model whose serialized content resolves to code execution on load.",
+        "Loading NeMo models from a hub or shared store without provenance verification.",
+        "NVIDIA NeMo at an affected version (NVIDIA NeMo Framework < 2.6.1) loading untrusted models - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the NVIDIA NeMo security bulletin (https://nvidia.custhelp.com/app/answers/detail/a_id/5762) and Cato CTRL research, plus NVD CVE-2025-33236 (CWE-94). The untrusted-model-load path is the indicator anchor."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-33236",
+      "https://nvidia.custhelp.com/app/answers/detail/a_id/5762"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "NVIDIA Product Security",
+        "advisory_id": "NVIDIA-5762",
+        "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5762",
+        "severity": "high",
+        "published_date": "2026-02-18"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-33236",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33236",
+        "severity": "high",
+        "published_date": "2026-02-18"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-94; CNA NVIDIA CVSS 7.8, no NVD-assessed score) + the NVIDIA NeMo security bulletin. NeMo model-load code-execution; same untrusted-model-artifact class as the Keras / HF Transformers entries (shares NEW-CTRL-091).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "NVIDIA NeMo Framework executes attacker code when a malicious AI model is imported (CWE-94 code injection), silently; fixed in 2.6.1."
+  },
+  "CVE-2024-0129": {
+    "name": "NVIDIA NeMo SaveRestoreConnector .tar Path Traversal to Code Execution",
+    "type": "RCE",
+    "cvss_score": 7.8,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 7.8 (HIGH); NVIDIA as CNA scored 6.3 (MEDIUM, Scope:Changed). Path traversal via unsafe .tar extraction in the SaveRestoreConnector (CWE-22), enabling code execution and data tampering when a malicious .nemo model is loaded.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the NVIDIA NeMo security bulletin: loading/importing a maliciously crafted NeMo model triggers path-traversal file write in the importing process.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via NVIDIA's NeMo security bulletins. NeMo is NVIDIA's LLM training/customization framework; the abused surface is its model-import/load path.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; an untrusted model artifact executing code on load.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Vendor/researcher disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "NVIDIA NeMo before r2.0.0rc0 (the SaveRestoreConnector); fixed in r2.0.0rc0 per NVIDIA advisory a_id/5580.",
+    "affected_versions": [
+      "NVIDIA NeMo < r2.0.0rc0"
+    ],
+    "vector": "NeMo's SaveRestoreConnector extracts a .nemo model archive (a .tar) without restricting entry paths, so a crafted archive writes files outside the intended directory (CWE-22 path traversal). Loading a malicious NeMo model thereby writes attacker content to an arbitrary path and can lead to code execution.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:L / AC:L - local context; the precondition is loading an untrusted NeMo model.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading NVIDIA NeMo to r2.0.0rc0 or later; no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade NVIDIA NeMo to r2.0.0rc0 or later, and only load NeMo models from trusted sources (verify provenance; load untrusted models sandboxed)."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the LLM training/customization framework's model-load path as managed, RCE-bearing software.",
+      "NIST-800-53-SI-10": "Input-validation control is not applied to imported model artifacts/archives that NeMo deserializes or extracts.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the model-import path of an LLM framework as a code-execution surface.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach LLM-framework model loading as a privileged execution control plane.",
+      "DORA-Art-9": "ICT protection measures do not model untrusted-model-artifact loading in an LLM framework as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for treating NeMo model artifacts as untrusted code.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM training/customization frameworks.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML model artifact as untrusted executable input; loading an untrusted NeMo model is RCE."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 25,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 20,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 25, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at/after disclosure (Hard Rule #3). poc_available=20 + blast_radius=20 (NeMo is NVIDIA's widely used LLM framework) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-0129",
+    "cwe_refs": [
+      "CWE-22"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Python subprocess / interpreter activity during NeMo model import / SaveRestoreConnector load of an externally sourced model.",
+        "A .nemo (.tar) archive whose entries contain ../ traversal paths writing outside the extraction directory.",
+        "Loading NeMo models from a hub or shared store without provenance verification.",
+        "NVIDIA NeMo at an affected version (NVIDIA NeMo < r2.0.0rc0) loading untrusted models - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the NVIDIA NeMo security bulletin (https://nvidia.custhelp.com/app/answers/detail/a_id/5580), plus NVD CVE-2024-0129 (CWE-22). The untrusted-model-load path is the indicator anchor."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-0129",
+      "https://nvidia.custhelp.com/app/answers/detail/a_id/5580"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "NVIDIA Product Security",
+        "advisory_id": "NVIDIA-5580",
+        "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5580",
+        "severity": "high",
+        "published_date": "2024-10-15"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-0129",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0129",
+        "severity": "high",
+        "published_date": "2024-10-15"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-22; NIST CVSS 7.8, NVIDIA CNA 6.3) + the NVIDIA NeMo security bulletin. NeMo model-load code-execution; same untrusted-model-artifact class as the Keras / HF Transformers entries (shares NEW-CTRL-091).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "NVIDIA NeMo's SaveRestoreConnector extracts a .nemo (.tar) model archive without path restriction (CWE-22), so a malicious model writes to an arbitrary path and can execute code; fixed in r2.0.0rc0."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -96,6 +96,7 @@
       "CVE-2023-43472",
       "CVE-2023-51449",
       "CVE-2023-6021",
+      "CVE-2024-0129",
       "CVE-2024-0769",
       "CVE-2024-13059",
       "CVE-2024-1561",
@@ -386,6 +387,7 @@
       "CVE-2025-11837",
       "CVE-2025-1550",
       "CVE-2025-32432",
+      "CVE-2025-33236",
       "CVE-2025-37164",
       "CVE-2025-43200",
       "CVE-2025-4428",

package/data/framework-control-gaps.json

@@ -40,6 +40,7 @@
       "CVE-2023-51449",
       "CVE-2023-6019",
       "CVE-2023-6021",
+      "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
       "CVE-2024-11393",
@@ -63,6 +64,7 @@
       "CVE-2025-30165",
       "CVE-2025-30202",
       "CVE-2025-32444",
+      "CVE-2025-33236",
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-54136",
@@ -1395,6 +1397,7 @@
       "CVE-2023-52163",
       "CVE-2023-6019",
       "CVE-2023-6021",
+      "CVE-2024-0129",
       "CVE-2024-0769",
       "CVE-2024-11182",
       "CVE-2024-11392",
@@ -1483,6 +1486,7 @@
       "CVE-2025-32975",
       "CVE-2025-33053",
       "CVE-2025-33073",
+      "CVE-2025-33236",
       "CVE-2025-34026",
       "CVE-2025-34291",
       "CVE-2025-35939",
@@ -1828,6 +1832,7 @@
       "CVE-2023-51449",
       "CVE-2023-6019",
       "CVE-2023-6021",
+      "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
       "CVE-2024-11393",
@@ -1855,6 +1860,7 @@
       "CVE-2025-30165",
       "CVE-2025-30202",
       "CVE-2025-32444",
+      "CVE-2025-33236",
       "CVE-2025-34291",
       "CVE-2025-38352",
       "CVE-2025-43300",
@@ -2295,6 +2301,7 @@
     "opened_date": "2026-05-13",
     "evidence_cves": [
       "CVE-2023-44467",
+      "CVE-2024-0129",
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
@@ -2310,6 +2317,7 @@
       "CVE-2025-1753",
       "CVE-2025-23254",
       "CVE-2025-30165",
+      "CVE-2025-33236",
       "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-6965",
@@ -2459,6 +2467,7 @@
       "CVE-2023-52163",
       "CVE-2023-6019",
       "CVE-2023-6021",
+      "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-0769",
       "CVE-2024-11182",
@@ -2550,6 +2559,7 @@
       "CVE-2025-32975",
       "CVE-2025-33053",
       "CVE-2025-33073",
+      "CVE-2025-33236",
       "CVE-2025-34026",
       "CVE-2025-34291",
       "CVE-2025-35939",
@@ -4975,6 +4985,7 @@
       "CVE-2023-51449",
       "CVE-2023-6019",
       "CVE-2023-6021",
+      "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
       "CVE-2024-11393",
@@ -5000,6 +5011,7 @@
       "CVE-2025-30165",
       "CVE-2025-30202",
       "CVE-2025-32444",
+      "CVE-2025-33236",
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-54136",
@@ -5521,6 +5533,7 @@
     "evidence_cves": [
       "CVE-2023-44467",
       "CVE-2023-51449",
+      "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
       "CVE-2024-11393",
@@ -5544,6 +5557,7 @@
       "CVE-2025-30165",
       "CVE-2025-30202",
       "CVE-2025-32444",
+      "CVE-2025-33236",
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-54136",
@@ -5608,6 +5622,7 @@
       "CVE-2023-51449",
       "CVE-2023-6019",
       "CVE-2023-6021",
+      "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
       "CVE-2024-11393",
@@ -5633,6 +5648,7 @@
       "CVE-2025-30165",
       "CVE-2025-30202",
       "CVE-2025-32444",
+      "CVE-2025-33236",
       "CVE-2025-34291",
       "CVE-2025-49596",
       "CVE-2025-54136",

package/data/zeroday-lessons.json

@@ -8433,6 +8433,106 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2025-33236": {
+    "name": "NVIDIA NeMo Framework Malicious Model Import Code Injection RCE",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "NVIDIA NeMo (CWE-94 code injection on malicious model import) executes attacker code or writes attacker files when an untrusted NeMo model is imported/loaded.",
+      "privileges_required": "ability to get a NeMo model loaded (NVD AV:L)",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the model-import path of NVIDIA NeMo, an LLM training/customization framework. The lesson is the same one the Keras and Hugging Face Transformers CVEs teach: a model artifact is executable code at load time, so models (and their archive formats) from untrusted sources must be treated as untrusted code - provenance, safe extraction, sandboxed loading."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the LLM training/customization framework's model-load path as RCE-bearing software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation is not applied to imported model artifacts/archives that NeMo deserializes or extracts."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML model artifact as untrusted executable input; loading an untrusted NeMo model is RCE."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 71,
+      "basis": "ML teams import NeMo models/checkpoints from hubs and shared stores and treat them as data; the framework's load path is assumed safe.",
+      "theater_pattern": "model_artifact_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load models/checkpoints from untrusted sources, verify provenance, prefer safe formats, extract archives with path validation, and load untrusted models only in a sandboxed, least-privilege environment. Upgrade NVIDIA NeMo to 2.6.1 or later. The control is the same one that closes the Keras and Hugging Face Transformers model-deserialization CVEs - the class is 'a model file is executable code'. The distinguishing test: load an attacker-crafted NeMo model on a sandboxed instance and confirm no code executes and no file is written outside the extraction directory.",
+        "evidence": "https://nvidia.custhelp.com/app/answers/detail/a_id/5762",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2024-0129": {
+    "name": "NVIDIA NeMo SaveRestoreConnector .tar Path Traversal to Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "NVIDIA NeMo (CWE-22 path traversal via unsafe .nemo (.tar) extraction) executes attacker code or writes attacker files when an untrusted NeMo model is imported/loaded.",
+      "privileges_required": "ability to get a NeMo model loaded (NVD AV:L)",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the model-import path of NVIDIA NeMo, an LLM training/customization framework. The lesson is the same one the Keras and Hugging Face Transformers CVEs teach: a model artifact is executable code at load time, so models (and their archive formats) from untrusted sources must be treated as untrusted code - provenance, safe extraction, sandboxed loading."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the LLM training/customization framework's model-load path as RCE-bearing software."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Input validation is not applied to imported model artifacts/archives that NeMo deserializes or extracts."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML model artifact as untrusted executable input; loading an untrusted NeMo model is RCE."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 71,
+      "basis": "ML teams import NeMo models/checkpoints from hubs and shared stores and treat them as data; the framework's load path is assumed safe.",
+      "theater_pattern": "model_artifact_trust"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load models/checkpoints from untrusted sources, verify provenance, prefer safe formats, extract archives with path validation, and load untrusted models only in a sandboxed, least-privilege environment. Upgrade NVIDIA NeMo to r2.0.0rc0 or later. The control is the same one that closes the Keras and Hugging Face Transformers model-deserialization CVEs - the class is 'a model file is executable code'. The distinguishing test: load an attacker-crafted NeMo model on a sandboxed instance and confirm no code executes and no file is written outside the extraction directory.",
+        "evidence": "https://nvidia.custhelp.com/app/answers/detail/a_id/5580",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2024-11393": {
     "name": "Hugging Face Transformers MaskFormer Deserialization Remote Code Execution",
     "lesson_date": "2026-05-25",