You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This pull request introduces CVSS v3.1 scoring for vulnerability severity assessment and integrates it throughout the exploit/fix workflow. The changes ensure that vulnerabilities are now scored using a standardized CVSS vector, with automatic calculation of severity and numeric score, improving consistency and reliability. The implementation includes a pure-Python CVSS calculator, updates to the prompt and parsing logic, and expands the data models and tests to handle CVSS information.
Integration of CVSS v3.1 scoring:
Prompt and parsing updates:
The generate_patch_and_assess prompt now instructs the LLM to provide a CVSS v3.1 vector string for each vulnerability, and severity is mapped from the computed score rather than directly assigned. [1][2]
The process_fixer_result function validates CVSS vectors, computes the score and severity automatically, and logs warnings if the vector is invalid, falling back to LLM-provided severity if needed.
Data model enhancements:
ExploitRecord and FixRecord classes now include cvss_vector and cvss_score fields, with serialization/deserialization support in their to_dict and from_dict methods. [1][2][3][4][5][6]
CVSS calculator implementation:
Added a new module src/kai/utils/cvss.py with a pure-Python CVSS v3.1 vector parser, score calculator, severity mapping, and validation function.
Prompt and result schema changes:
The prompt and result schema now explicitly require and handle cvss_vector fields, and example outputs reflect this new requirement. [1][2]
Testing:
Introduced tests/test_cvss.py to verify CVSS vector parsing, score computation, severity mapping, and validation, ensuring correctness of the new scoring logic.
These changes standardize vulnerability scoring, improve data integrity, and provide robust test coverage for CVSS integration.
{ "_id": { "$oid": "3b803be88715f795d6e36309" }, "executionId": { "$oid": "69ac93516f7f248dff75995f" }, "createdAt": { "$date": "2026-03-07T21:24:28.426Z" }, "updatedAt": { "$date": "2026-03-07T21:35:15.932Z" }, "sourceAgent": "analyzer", "status": "verified_and_fixed", "hypothesis": "MarkdownRenderer component uses rehypeRaw plugin which allows raw HTML to be rendered without sanitization, enabling Stored XSS attacks. The skipHtml={false} setting explicitly permits HTML rendering of user-supplied content.", "file": "src/components/MarkdownRenderer.tsx", "function": "MarkdownRenderer", "sketch": "1. Attacker creates a blog post with malicious markdown containing <script>alert('XSS')</script> or <img src=x onerror=alert('XSS')> or other event handlers\n2. When other users view the blog post, the raw HTML is rendered directly in the browser\n3. The malicious JavaScript executes in the context of the victim's session, potentially stealing cookies, tokens, or performing actions on behalf of the user", "pocCodeS3": "69723bee8ceb013b4ad64f03/699865c11baa79067f6534fb/69ac93516f7f248dff75995f/exploits/3b803be88715f795d6e36309/poc_verified.sol", "verdict": { "isValid": true, "severity": "High", "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L", "cvssScore": 8.9, "fixes": [ { "patchS3": "69723bee8ceb013b4ad64f03/699865c11baa79067f6534fb/69ac93516f7f248dff75995f/exploits/3b803be88715f795d6e36309/fixes/eb357f6af274b7a608fc8022/diff.patch", "testResultsS3": "69723bee8ceb013b4ad64f03/699865c11baa79067f6534fb/69ac93516f7f248dff75995f/exploits/3b803be88715f795d6e36309/fixes/eb357f6af274b7a608fc8022/test_results.txt", "applied": false, "createdAt": { "$date": "2026-03-07T21:35:15.932Z" } } ] }, "testOutputS3": "69723bee8ceb013b4ad64f03/699865c11baa79067f6534fb/69ac93516f7f248dff75995f/exploits/3b803be88715f795d6e36309/test_output.txt", "patch": "--- a/src/components/MarkdownRenderer.tsx\n+++ b/src/components/MarkdownRenderer.tsx\n@@ -1,14 +1,13 @@\n import ReactMarkdown from \"react-markdown\";\n import remarkMath from \"remark-math\";\n import rehypeKatex from \"rehype-katex\";\n-import rehypeRaw from \"rehype-raw\";\n \n export function MarkdownRenderer({ content }: { content: string }) {\n return (\n <ReactMarkdown\n remarkPlugins={[remarkMath]}\n- rehypePlugins={[rehypeRaw, rehypeKatex]}\n- skipHtml={false}\n+ rehypePlugins={[rehypeKatex]}\n+ skipHtml={true}\n >\n {content}\n </ReactMarkdown>\n", "test_results": "$ npx -y tsx verify_markdownrenderer_xss.tsx\nrc=0\nSTDOUT:\n=== rendered HTML ===\n<h1>Post</h1>\n<p>Attacker-controlled HTML:</p>\n\n\n<p>Trailing text</p>\n\nOK: Raw HTML was not rendered.\n\nSTDERR:\n\n\nNOTE:npm run build` cannot be executed in this environment because Next.js requires Node >=20.9.0.\n"
}
`
I also keep cvss vector too but It can be removed. I kept it maybe in long run we can change our cvss method.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces CVSS v3.1 scoring for vulnerability severity assessment and integrates it throughout the exploit/fix workflow. The changes ensure that vulnerabilities are now scored using a standardized CVSS vector, with automatic calculation of severity and numeric score, improving consistency and reliability. The implementation includes a pure-Python CVSS calculator, updates to the prompt and parsing logic, and expands the data models and tests to handle CVSS information.
Integration of CVSS v3.1 scoring:
Prompt and parsing updates:
generate_patch_and_assessprompt now instructs the LLM to provide a CVSS v3.1 vector string for each vulnerability, and severity is mapped from the computed score rather than directly assigned. [1] [2]process_fixer_resultfunction validates CVSS vectors, computes the score and severity automatically, and logs warnings if the vector is invalid, falling back to LLM-provided severity if needed.Data model enhancements:
ExploitRecordandFixRecordclasses now includecvss_vectorandcvss_scorefields, with serialization/deserialization support in theirto_dictandfrom_dictmethods. [1] [2] [3] [4] [5] [6]CVSS calculator implementation:
src/kai/utils/cvss.pywith a pure-Python CVSS v3.1 vector parser, score calculator, severity mapping, and validation function.Prompt and result schema changes:
cvss_vectorfields, and example outputs reflect this new requirement. [1] [2]Testing:
tests/test_cvss.pyto verify CVSS vector parsing, score computation, severity mapping, and validation, ensuring correctness of the new scoring logic.These changes standardize vulnerability scoring, improve data integrity, and provide robust test coverage for CVSS integration.