Ten modules across ten weeks. Each module is a working artefact: a mapping table, a templating-pipeline trace, a Flask-anchored generic Jinja2 SSTI, an end-to-end CVE-2025-65106 reproduction, a patch read, a detector tool, a Go cousin reproduction, a coordinated-disclosure timeline, a packaged reproduction-tool repo, and a capstone-grade six-to-eight-page report. Twenty-two hours of lecture, forty hours of lab, fifty-three hours of independent practice, one hundred and fifteen hours total.
Position in the academy
ADV-102 is the fourth belt of the academy ladder, the deep-technical adversarial course. Students arrive having shipped a classical-era CVE-to-Tool reproduction in ADV-101 (SB6141 cable modem family) and having studied the OWASP LLM Top 10 in AI-101. ADV-102 mirrors ADV-101's structure exactly: one named CVE, full reproduction, defensible reproduction tool, coordinated-disclosure-style report. The pivot is to the LLM era.
The pedagogical move
ADV-101 said: a named classical CVE is the unit of practitioner work. ADV-102 says: the same is true in the LLM era, and the bug class lives in the libraries that production agentic systems depend on, not in the models themselves. The anchor CVE is CVE-2025-65106, a Jinja2 server-side template injection in LangChain's prompt-template layer. Students reproduce it on a pinned vulnerable version, read the upstream patch, and build a detector tool that scans for vulnerable installs. The thesis is that the attack surface of an agentic system is the prompt-rendering pipeline, the template engines, the deserialisation layers, and the tool-calling boundaries that surround the LLM. That is where the next ten years of practical LLM security work will land.
Reading anchors
Two anchor pairings carry the course. The practitioner-narrative axis pairs Stuttard and Pinto's Web Application Hacker's Handbook Chs 8-9 (server-side template injection, established in PEN-101, deepened in ADV-101) with Seitz and Arnold's Black Hat Python Ch 10 (forensic scripting and structured-output discipline). Stuttard and Pinto's SSTI material predates LangChain by a decade and explains why Module 4's reproduction is discoverable in the first place. Seitz and Arnold's instrumentation discipline shapes the Module 6 detector tool's structured-output reports.
The taxonomy axis pairs the OWASP Top 10 for Large Language Model Applications (LLM01 through LLM10) with the OWASP Top 10 for Agentic AI Applications (ASI Top 10). CVE-2025-65106 is a concrete instance of LLM01 (Prompt Injection) in the specific sense that the injection reaches a template renderer rather than the model itself; the ASI Top 10 extends the taxonomy to multi-step agentic workflows. The Module 2 architecture trace classifies each LangChain component by its ASI risk category; the capstone report explicitly maps CVE-2025-65106 to OWASP LLM and ASI items.
Module map
| Module | Topic | Working artefact |
|---|---|---|
| 1 | The CVE-to-Tool methodology, recapped from ADV-101 | Two-page mapping table comparing the ADV-101 target (SB6141 family) to the ADV-102 target (CVE-2025-65106) |
| 2 | LangChain architecture and the templating pipeline | Trace a prompt through LangChain Expression Language; identify the templating step where Jinja2 fires |
| 3 | Jinja2 SSTI, the bug class | Reproduce a generic Jinja2 SSTI in a Flask app to anchor the bug class before the LangChain-specific reproduction |
| 4 | CVE-2025-65106, the specific instance | Pin a vulnerable LangChain version in a clean virtualenv; reproduce the chain end-to-end |
| 5 | The patch and the defender lens | Read the upstream patch diff; identify the missing input validation; describe what a defender now does differently |
| 6 | Building the reproduction tool (CVE detector) | Build a Python tool that scans a target for vulnerable LangChain versions; outputs a structured detector report |
| 7 | Cross-language generalisation | Reproduce CVE-2025-9556 (Gonja SSTI in Go); pair with the Python target and show the bug class crosses languages |
| 8 | Coordinated-disclosure discipline | Walk a hypothetical disclosure timeline against a fictional vendor; produce a vendor-readable report draft |
| 9 | Defensible reproduction-tool deployment | Package the detector tool; document install + use; publish to a private repo for instructor review |
| 10 | Capstone, full CVE reproduction plus tool plus report | Submit reproduction harness plus detector tool plus six-to-eight-page coordinated-disclosure-style report plus five-minute recorded demo |
Learning outcomes
- Remember. State the CVE identifier, CVSS score, affected versions, and patched version of CVE-2025-65106.
- Understand. Explain why Jinja2 SSTI is the canonical agentic-system bug class for Python-based stacks.
- Apply. Reproduce CVE-2025-65106 end-to-end on a controlled local install.
- Apply. Build a defensible reproduction tool that detects vulnerable LangChain versions.
- Apply. Reproduce the Go cousin (CVE-2025-9556) and identify the cross-language pattern.
- Analyze. Read the upstream patch diff and identify the missing input validation.
- Synthesize. Ship the capstone, a reproduction harness plus detector tool plus six-to-eight-page coordinated-disclosure report.
Assessment
First the project has to work. The CVE-2025-65106 reproduction runs cleanly; the detector tool flags vulnerable installs correctly and skips patched installs; the report is submitted; the demo is recorded. Then the written report scores on three dimensions weighted 40 plus 30 plus 30. Reproduction depth 40%, tool defensibility and documentation 30%, report and demo quality at coordinated-disclosure practices 30%. B-minus minimum on Tier 2 for the certificate.
What comes next
- AI-201. Production agentic-system pentesting at scale. ADV-102 graduates land AI-201 with a concrete CVE under their belt and a working detector tool to point at; the AI-201 syllabus picks up where this one stops.
- AI-301. Adversarial AI capstone. The cross-language pattern you wrote up in Module 7 is the kind of thinking AI-301 has students apply to broader bug classes.
- ADV-101. The classical-era CVE-to-Tool course. ADV-101 plus ADV-102 in either order gives a graduate the full era-spanning CVE-to-Tool toolbox.