Likelihood: MODERATE
Impact: HIGH
Treatment: AVOID
Confidence: Moderate
Likelihood is moderate: exploitation is unconfirmed and requires the attacker to reach the Terrarium execution environment (typically an internal AI/ML pipeline), but the vulnerability is permanently unpatched on an EOL component with no remediation path, meaning exposure persists indefinitely and any future exploit development raises realized risk. Impact is high because successful exploitation yields root-level command execution on the host, enabling data exfiltration, credential theft, lateral movement into internal networks, and full compromise of any AI/ML pipeline assets — consequences that extend well beyond the sandbox boundary.
Treatment rationale: Terrarium is end-of-life with no patch forthcoming, making sustained risk reduction through mitigating controls a temporary and degrading posture; decommissioning or replacing the tool eliminates the exposure class entirely and is the only durable treatment for a permanently unpatched root-escape vulnerability.
Third-Party / Supply-Chain Risk
Cohere AI Terrarium is an abandoned third-party OSS component; organizations have inherited a permanently unpatched dependency with no upstream remediation path — a classic NIST SP 800-161 Tier 3 supplier risk. The underlying Pyodide WebAssembly runtime is a further second-order dependency; any organization using Terrarium as a shared execution layer across multiple AI/ML products or teams amplifies blast radius. Integrators who embedded Terrarium into managed AI platforms or SaaS offerings face compounded supply-chain exposure affecting their downstream customers.
Loss Exposure (illustrative)
Magnitude: high — illustrative $500K–$5M per incident, reflecting full host compromise in an AI/ML pipeline context with likely data, credential, and lateral-movement consequences
Frequency: For an organization actively using Terrarium to execute LLM-generated or untrusted code with any external-facing or multi-tenant exposure, illustrative probability of a loss event is low-to-moderate per year while unmitigated, increasing over time as no patch will ever reduce the attack surface and exploit maturity grows
Annualized: Illustrative ALE: low-to-moderate annual loss exposure — roughly $50K–$500K annualized at current exploitation-unknown status, with upward trajectory as EOL status and public CVE increase attacker awareness
Basis: Magnitude derived from: root-level escape on an AI/ML host implies broad blast radius (data, credentials, pipeline integrity, potential lateral movement); pipeline environments frequently hold model weights, API keys, training data, and internal service credentials, elevating asset value at risk. Frequency derived from: exploitation is currently unconfirmed reducing near-term probability, but permanent EOL with no patch path and a public CVE ensures the window remains open indefinitely, and threat actor interest in AI infrastructure components is increasing. Annualized estimate is a product of these illustrative inputs only.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• If PII, PHI, or regulated data transits the host system reachable via sandbox escape, a confirmed compromise event may invoke state and federal breach-notification obligations — verify with counsel.
• Root-level host compromise may constitute a reportable security incident under cyber-insurance policy terms; continued operation of a known, permanently unpatched EOL component could implicate coverage conditions or exclusions — verify with broker.
• Organizations subject to SOC 2, ISO 27001, or FedRAMP may face audit findings for knowingly operating an unpatched, EOL component with an active CVE — verify with compliance counsel.
• If Terrarium is embedded in a product or service delivered to customers, contractual security warranties or SLA provisions may be implicated upon disclosure — verify with counsel.
