Skip to content

Claude/eloquent davinci s bng g#62

Closed
killertcell428 wants to merge 2 commits into
masterfrom
claude/eloquent-davinci-sBngG
Closed

Claude/eloquent davinci s bng g#62
killertcell428 wants to merge 2 commits into
masterfrom
claude/eloquent-davinci-sBngG

Conversation

@killertcell428
Copy link
Copy Markdown
Owner

@killertcell428 killertcell428 commented May 18, 2026

Summary

Closes #

Changes

Type of change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • New detection pattern
  • Breaking change (fix or feature that would cause existing behaviour to change)
  • Documentation update
  • Refactor / performance improvement

Testing

  • pytest tests/ -v passes locally
  • New tests added for the change
  • Existing tests updated if needed (explain why)

For new detection patterns, confirm both:

  • Positive test — the pattern correctly detects a malicious input
  • Negative test — the pattern does NOT fire on legitimate input

Checklist

  • Code follows the style of the project (ruff check passes)
  • Type annotations are correct (mypy aigis/ passes)
  • Public API changes are reflected in docs/api-reference.md
  • CHANGELOG.md updated under [Unreleased]
  • I have read CONTRIBUTING.md

Screenshots / output

aigis auto-improvement added 2 commits May 18, 2026 06:24
release: v1.1.5 — auto-improvement cycle 9 (incident-postmortems)
e701fdc 
Adds sc_flowise_js_rce detection pattern to SUPPLY_CHAIN_PATTERNS covering
JavaScript Function() constructor-based RCE in MCP configuration contexts
(Flowise CVE-2025-59528, CVSS 10.0). Bumps version to 1.1.5.
chore: update uv.lock after v1.1.5 version bump
14a6d59
@killertcell428
Copy link
Copy Markdown
Owner Author

killertcell428 commented May 18, 2026

Superseded by #61, which is taking the v1.1.5 release slot.

Why this PR is being closed instead of resolving the conflicts:

  • Both this PR and Claude/eloquent davinci o6sfs #61 try to publish v1.1.5. The CHANGELOG / __version__ / INDEX / ROTATION / pyproject.toml conflicts are caused precisely by both PRs writing to the same v1.1.5 sections. Resolving them would still leave one of the two PRs unable to claim v1.1.5.
  • Claude/eloquent davinci o6sfs #61 is already in CLEAN / MERGEABLE state (DCO fixed, both commits SSH-verified) and is ready to merge as v1.1.5.
  • The DCO failure on this PR has the same root cause as Claude/eloquent davinci o6sfs #61 had: commits authored by aigis auto-improvement <auto-improvement@aigis.local> while the Signed-off-by (if any) is killertcell428 <killertcell428@gmail.com>. DCO requires the two emails to match.

What this PR contained that #61 does not:

  • sc_flowise_js_rce — Flowise CVE-2025-59528 (CVSS 10.0), JavaScript Function() constructor RCE in the CustomMCP node. Detects new Function(...) combined with child_process / fs / os / net / process.env references, and the same patterns inside MCP mcpServerConfig / "command": / "args": fields. Also covers the Function.prototype.constructor prototype-chain bypass. Worth re-introducing as v1.1.6 since the CVSS is 10.0 and 12,000+ instances were still exposed when exploitation began.
  • A more rigorous CHANGELOG **Tests:** line that names the failing test files (test_spec_lang.py, test_guard.py, test_oss_comparison_bench.py, test_release_preflight.py) and their root causes — closer to what CLAUDE.md asks for than the original draft of Claude/eloquent davinci o6sfs #61. If sc_flowise_js_rce is re-introduced in a follow-up PR, keep this style.

If a follow-up v1.1.6 PR is opened with sc_flowise_js_rce, please ensure (a) the commit is authored with the email that signs off DCO, and (b) signing is enabled (commit.gpgsign=true with the SSH/GPG key registered on the GitHub account), so the same fixup dance is not needed.

@killertcell428 killertcell428 mentioned this pull request May 18, 2026
Merged
4 tasks
killertcell428 added a commit that referenced this pull request May 18, 2026
@killertcell428
release: v1.1.6 — salvage sc_flowise_js_rce from closed PR #62 (#63)
9938a1b 
Adds `sc_flowise_js_rce` (Flowise CVE-2025-59528, CVSS 10.0): JavaScript
`Function()` constructor / `eval()` patterns combined with dangerous Node.js
system module references (`child_process`, `fs`, `os`, `net`, `process.env`,
`execSync`, `spawnSync`), or the same patterns appearing inside MCP server
configuration fields (`mcpServerConfig`, `"command":`, `"args":`). Also
covers the `Function.prototype.constructor` prototype-chain bypass.

CVE-2025-59528 (CVSS 10.0): the Flowise CustomMCP node parsed
`mcpServerConfig` and executed it via JavaScript's `Function()` constructor —
functionally identical to `eval()` — without any validation. A single
`new Function('return require("child_process").execSync("id")')()` payload
achieves host-level RCE on the Flowise server, exposing every LLM API key,
database credential, and OS resource stored or reachable by the application.
12,000-15,000 Flowise instances remained unpatched when exploitation began
in April 2026, more than six months after the patch (Flowise 3.1.1) was
released. An AI agent receiving indirect prompt injection through a poisoned
tool response or retrieved document could be directed to inject this payload
into a Flowise workflow configuration.

This release is a manual follow-up that salvages the detector from closed
PR #62. PR #62 was closed because it raced PR #61 for the v1.1.5 slot and
lost on the merge order; the underlying detector is unrelated to that race
and is shipped here on its own. Sourced from
`origin/claude/eloquent-davinci-sBngG` (the PR #62 branch) verbatim, with
only release-metadata changes (version 1.1.5 -> 1.1.6, CHANGELOG section
moved out of v1.1.5 into v1.1.6, INDEX/ROTATION untouched since this is not
a new auto-improvement rotation cycle).

Tests: 1582 passed, 0 failed, 0 skipped (measured 2026-05-18 via
`uv run --no-sync pytest --tb=no -q` on this branch). 14 new tests added
for `sc_flowise_js_rce` (10 true positives covering Function() + dangerous
modules, MCP config field injection, and prototype-chain bypass; 4 true
negatives covering legitimate Function() use, JSON5.parse() prose, safe
inline arithmetic Function() calls, and educational mentions of `require`).

Signed-off-by: killertcell428 <killertcell428@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@killertcell428