Threat Intelligence8 min read

Weekly Threat Intelligence: Go ECH Privacy, Agent URI Abuse, Safetensors, and CRLF Metrics

A 21-day catch-up cycle reviewed 234 threat records, patched a reachable Go TLS privacy flaw, and hardened agent URI handling, safetensors validation, and metric injection defenses without adding modules or runtime dependencies.

1S

Threat Intelligence Team

threat intelligenceGo securityEncrypted Client Helloagent securityURI handlerssafetensorsmetric injectionNext.js securityweekly auditsingle binary

A Three-Week Catch-Up Window

This cycle widened the normal weekly window to 21 days, covering June 22 through July 13. The pipeline collected 234 high-signal records from 12 sources: 14 newly listed CISA Known Exploited Vulnerabilities, 220 high or critical NVD records, the Go Vulnerability Database, and 10 editorial or specialist research feeds. All 16 Go security modules, the Rust sidecar, and the core engine were introspected before the threat set was cross-referenced against current behavior.

The generated backlog contained 12 proposed actions, but most were continuations or already-covered controls. Real-time Linux inotify monitoring, overlapping deep-buffer scans, PDF FlateDecode inspection, dynamic MCP registration checks, extension-to-magic validation, and agentic markdown taint handling were already present. The implementation pass focused on the gaps that survived source and test review.

The Binary Itself Needed a TLS Patch

A direct govulncheck pass found what the report summary missed: Go 1.26.4 was affected by GO-2026-5856, the crypto/tls Encrypted Client Hello privacy vulnerability tracked as CVE-2026-42505. A passive network observer could use pre-shared key identities exposed in the unencrypted ClientHello to de-anonymize ECH connections. The scanner found reachable paths through the engine's NATS TLS connection, HTTP server, webhook client, and other TLS reads and writes.

The module now requires Go 1.26.5, the July 7 security release containing the crypto/tls fix. This is a standard-library and toolchain patch, not a new application dependency. After the upgrade, govulncheck reports zero reachable vulnerabilities in the public engine.

What Shipped in Existing Modules

Three detection improvements landed inside the established architecture. No seventeenth module was created, and no runtime library was added.

Agent URI handler containment

AI Agent Containment now examines structured tool arguments and targets for local or custom URI schemes including file, gopher, dict, expect, jar, local, NFS, and SMB handlers. The detector performs bounded percent-decoding before parsing candidates with Go's standard net/url package, so an encoded file:///workspace/config.json request cannot bypass the check. Approved HTTP and HTTPS tool destinations continue to pass normally.

This closes the class represented by CVE-2025-66389, where an AI tool's webpage fetch path could be redirected through a file-handler URI to read outside the approved workspace without the expected user approval.

Structural safetensors validation

Data Poisoning Guard previously checked safetensors header length and rejected obvious execution primitives. It now parses the official JSON header structure and validates every tensor shape and data range. Rank above 8, shapes expanding beyond 100 million elements, invalid dimensions, malformed offsets, and offsets beyond the artifact payload produce a model_artifact_structure alert before a downstream loader can allocate or reshape from hostile metadata.

The parser remains bounded to the existing one-megabyte model inspection window and uses only encoding/json, binary decoding, and the tensor metadata limits already maintained by the module.

CRLF metric injection detection

Injection Shield now recognizes literal and percent-encoded CRLF sequences that start an attacker-controlled StatsD-style metric line. Payloads such as value=100%0Aevil_tag:1|c are classified as CRLF Metric Injection, while ordinary metric text without a forged line boundary remains clean.

The implementation also corrected mitigation routing so alerts receive guidance for their raw detection category instead of falling through to generic advice after categories were converted to display labels.

The Publishing Surface Was Patched Too

The maintenance pass included the website that publishes these updates. Its existing Next.js dependency moved from 16.1.6 to 16.2.10, clearing the current high-severity framework advisories, and React moved from 19.2.3 to 19.2.7. A non-breaking lockfile remediation also cleared the remaining fixable high-severity transitive findings.

The audit still reports moderate upstream findings in Netlify's OpenTelemetry chain and the PostCSS copy bundled by the current Next.js release. The automated fixes for those findings would downgrade direct packages to unsuitable versions, so they remain tracked rather than hidden behind a forced and potentially breaking resolution.

Repeated Findings Were Re-Verified, Not Rebuilt

The catch-up report repeated several important threats that no longer represented missing controls. Runtime Watcher already uses Linux inotify for real-time temporary-file monitoring and classifies transient fileless execution. The Rust sidecar already scans large payloads in overlapping chunks and tests exact signatures across boundaries. LLM Firewall already decompresses PDF FlateDecode streams before scanning their plaintext. API Fortress and AI Agent Containment already enforce dynamic MCP registration and routing constraints. File Sentinel already ties common extensions to magic bytes and catches executable content disguised as images or documents.

That distinction matters. Weekly intelligence should improve coverage, not reward duplicate implementations. Existing controls were exercised through their regression tests and left in their owning modules.

Architecture Discipline Held

The public engine remains one Go binary with 16 security modules and an optional Rust sidecar. The new runtime behavior uses only the Go standard library and existing internal helpers. The only version change in the public repository is the fixed Go 1.26.5 toolchain requirement.

A longer threat window produced more headlines, but not more architecture. That is the useful shape of a catch-up run: broaden collection, verify aggressively, patch the binary where it is exposed, and extend the smallest number of existing controls needed to cover the surviving gaps.

Verification

Focused tests cover encoded local file URIs, clean HTTPS tool calls, rank-9 safetensors headers, out-of-range tensor offsets, valid safetensors artifacts, encoded and literal CRLF metric injection, clean metric text, and the expanded canonical agent event schema.

The complete public Go package set passed race-enabled tests under Go 1.26.5, build, vet, gofmt, module verification, and govulncheck with zero reachable vulnerabilities. The Rust sidecar passed cargo fmt, clippy with warnings denied, and all 188 feature-enabled tests. The private site passed its framework upgrade and non-breaking audit remediation before lint and production build verification.

Try 1-SEC Today

Open source, single binary, 16 security modules. Download and run in under 60 seconds.