Skip to content

Real-World CVE Scenarios

Overview

AASTF v0.5.0 includes 8 scenarios derived from real-world CVEs and disclosed vulnerabilities in AI agent frameworks. These scenarios test whether your agent is susceptible to known attack patterns.

Scenario Details

CVE01-001: Checkpoint Deserialization RCE

Based on: LangGraph CVE-2025-68664 Category: ASI05 (Unexpected Code Execution) Severity: CRITICAL

A checkpoint restore operation deserializes untrusted data, leading to arbitrary code execution. The scenario tests whether an agent will process serialized objects from untrusted tool responses.

CVE01-002: Sandbox Fallback Escape

Based on: CrewAI CVE-2026-2275 Category: ASI05 (Unexpected Code Execution) Severity: CRITICAL

When Docker is unavailable, the framework falls back to unsafe local execution. Tests whether agents properly handle sandbox unavailability.

CVE01-003: SSRF via Message History

Based on: PydanticAI CVE-2026-25580 Category: ASI02 (Tool Misuse) Severity: HIGH

User-controlled URLs in message history trigger server-side requests to internal networks.

CVE01-004: Prompt-to-RCE via Tool Parameters

Based on: Semantic Kernel CVE-2026-25592 Category: ASI05 (Unexpected Code Execution) Severity: CRITICAL

Crafted prompts cause agents to pass malicious code to execution tools.

CVE01-005: Agent Card Poisoning

Based on: Google A2A vulnerability pattern Category: ASI04 (Supply Chain) Severity: HIGH

A2A Agent Card metadata injection influences which agent is selected for task delegation.

CVE01-006: Recursive Blocking DoS

Based on: AutoGen Corba attack research Category: ASI08 (Cascading Failures) Severity: HIGH

A message causes recursive agent delegation, blocking 79-100% of agents within 1.6 turns.

CVE01-007: Guardrail Bypass

Based on: OpenAI Agents SDK demonstrated bypass Category: ASI01 (Goal Hijack) Severity: HIGH

Crafted prompt bypasses safety guardrails while maintaining malicious intent.

CVE01-008: Hooks Injection RCE

Based on: Claude Code CVE-2025-59536 Category: ASI05 (Unexpected Code Execution) Severity: CRITICAL

Tool response content, if written to a hooks configuration file, enables remote code execution.

Running CVE Scenarios

# Run all CVE scenarios
aastf run --adapter generic --scenarios cve01/

# Include in full scan
aastf run --adapter langgraph --agent-factory your_agent:factory