Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-xwmg-2g98-w7v9: Nimbus JOSE + JWT is vulnerable to DoS attacks when processing deeply nested JSON

Information from the company's NS Solutions subsidiary has yet to show up on any Dark Web sites, but it doesn't rule out the possibility that the data may have been stolen.

Customer, Employee Data Exposed in Nippon Steel Breach

Major security flaw in McDonald’s AI hiring tool McHire exposed 64M job applications. Discover how an IDOR vulnerability…

Major security flaw in McDonald’s AI hiring tool McHire exposed 64M job applications. Discover how an IDOR vulnerability and weak default credentials led to a massive leak of personal data and the swift remediation by Paradox.ai.

A vulnerability in McHire, the AI-powered recruitment platform used by a vast majority of McDonald’s franchisees, exposed the personal information of over 64 million job applicants. The vulnerability, discovered by security researchers Ian Carroll and Sam Curry, allowed unauthorised access to sensitive data, including names, email addresses, phone numbers, and home addresses.

The investigation began after reports surfaced on Reddit about the McHire chatbot, named Olivia and developed by Paradox.ai, giving strange responses. Researchers quickly found two critical weaknesses. First, the administration login for restaurant owners on McHire accepted easily guessable default credentials: “123456” for both username and password. This simple entry granted them administrator access to a test restaurant account within the system.

Source: Reddit

The second, and more serious, issue was an Insecure Direct Object Reference (IDOR) on an internal API. An IDOR means that by simply changing a number in a web address (in this case, a lead\_id tied to applicant chats), anyone with a McHire account could access confidential information from other applicants’ chat interactions.

According to their blog post, researchers noted that this allowed them to view details from millions of job applications, including unmasked contact information and even authentication tokens that could be used to log in as the applicants themselves and see their raw chat messages.

Source: Ian Carroll

The McHire platform, accessible via https://jobs.mchire.com/, guides job seekers through an automated process, including a personality test from Traitify.com. Applicants interact with Olivia, providing their contact details and shift preferences.

It was while observing a test application from the restaurant owner’s side that the researchers stumbled upon the vulnerable API. They noticed a request to fetch candidate information, PUT /api/lead/cem-xhr, which used a lead_id that could be altered to view other applicants’ data.

Upon realising the vast scale of the potential data exposure, the researchers immediately initiated disclosure procedures. They contacted Paradox.ai and McDonald’s on June 30, 2025, at 5:46 PM ET.

McDonald’s acknowledged the report shortly after, and by June 30, 2025, at 7:31 PM ET, the default administrative credentials were no longer functional. Paradox.ai confirmed that the issues had been fully resolved by July 1, 2025, at 10:18 PM ET. Both companies have stated their commitment to data security following the swift remediation of this critical vulnerability.

“This incident is a reminder that when companies rush to deploy AI in customer-facing workflows without proper oversight, they expose themselves and millions of users to unnecessary risk,” said Kobi Nissan, Co-Founder & CEO at MineOS, a global data privacy management firm.

“The issue here isn’t the AI itself, but the lack of basic security hygiene and governance around it. Any AI system that collects or processes personal data must be subject to the same privacy, security, and access controls as core business systems,” explained Kobi.

“That means authentication, auditability, and integration into broader risk workflows, not siloed deployments that fly under the radar. As adoption accelerates, businesses need to treat AI not as a novelty but as a regulated asset and implement frameworks that ensure accountability from the start,” he advised.

McDonald’s AI Hiring Tool McHire Leaked Data of 64 Million Job Seekers

DHS is urging law enforcement to treat even skateboarding and livestreaming as signs of violent intent during a protest, turning everyday behavior into a pretext for police action.

The Department of Homeland Security is urging local police to consider a wide range of protest activity as violent tactics, including mundane acts like riding a bike or livestreaming a police encounter, WIRED has learned.

Threat bulletins issued during last month’s “No Kings” protests warn that the US government’s aggressive immigration raids are almost certain to accelerate domestic unrest, with DHS saying there’s a “high likeliness” more Americans will soon turn against the agency, which could trigger confrontations near federal sites.

Blaming intense media coverage and backlash to the US military deployment in Los Angeles, DHS expects the demonstrations to “continue and grow across the nation” as protesters focused on other issues shift to immigration, following a broad “embracement of anti-ICE messaging.”

The bulletins—first obtained by the national security nonprofit Property of the People through public records requests—warn that officers could face assaults with fireworks and improvised weapons: paint-filled fire extinguishers, smoke grenades, and projectiles like bottles and rocks.

At the same time, the guidance urges officers to consider a range of nonviolent behavior and common protest gear—like masks, flashlights, and cameras—as potential precursors to violence, telling officers to prepare “from the point of view of an adversary.”

Protesters on bicycles, skateboards, or even “on foot” are framed as potential “scouts” conducting reconnaissance or searching for “items to be used as weapons.” Livestreaming is listed alongside “doxxing” as a “tactic” for “threatening” police. Online posters are cast as ideological recruiters—or as participants in “surveillance sharing.”

One list of “violent tactics” shared by the Los Angeles–based Joint Regional Intelligence Center—part of a post-9/11 fusion network—includes both protesters’ attempts to avoid identification and efforts to identify police. The memo also alleges that face recognition, normally a tool of law enforcement, was used against officers.

Vera Eidelman, a senior staff attorney with the American Civil Liberties Union, says the government has no business treating constitutionally protected activities—like observing or documenting police—as threats.

DHS did not respond to a request for comment.

“Exercising those rights shouldn't be justification for adverse action or suspicion by the government,” Eidelman says. Labeling something as harmless as skateboarding at a protest as a violent threat is “disturbing and dangerous,” she adds, and could “easily lead to excessive force against people who are simply exercising their First Amendment rights.”

“The DHS report repeatedly conflates basic protest, organizing, and journalism with terroristic violence, thereby justifying ever more authoritarian measures by law enforcement,” says Ryan Shapiro, executive director of Property of the People. “It should be sobering, if unsurprising, that the Trump regime’s response to mass criticism of its police state tactics is to escalate those tactics.”

Fusion centers like JRIC play a central role in how police understand protest movements. The intelligence they produce is rapidly disseminated and draws heavily on open-source data. It often reflects broad, risk-averse assumptions and includes fragmentary and unverified information. In the absence of concrete threats, bulletins often turn to ideological language and social media activity as evidence of emerging risks, even when tied to lawful expression.

DHS’s risk-based approach reflects a broader shift in US law enforcement shaped by post-9/11 security priorities—one that elevates perceived intent over demonstrable wrongdoing and uses behavior cues, affiliations, and other potentially predictive indicators to justify early intervention and expanded surveillance.

A year ago, DHS warned that immigration-related grievances were driving a spike in threats against judges, migrants, and law enforcement, predicting that new laws and high-profile crackdowns would further radicalize individuals. In February, another fusion center reported renewed calls for violence against police and government officials, citing backlash to perceived federal overreach and identifying then-upcoming protests and court rulings as likely triggers.

At times, the sprawling predictions may appear prescient, echoing real-world flashpoints: In Alvarado, Texas, an alleged coordinated ambush at a detention center this week drew ICE agents out with fireworks before gunfire erupted on July 4, leaving a police officer shot in the neck. (Nearly a dozen arrests have been made, at least 10 on charges of attempted murder.)

In advance of protests, agencies increasingly rely on intelligence forecasting to identify groups seen as ideologically subversive or tactically unpredictable. Demonstrators labeled “transgressive” may be monitored, detained without charges, or met with force.

Social movement scholars widely recognize the introduction of preemptive protest policing as a departure from late-20th century approaches that prioritized de-escalation, communication, and facilitation. In its place, authorities have increasingly emphasized control of demonstrations through early intervention, surveillance, and disruption—monitoring organizers, restricting public space, and responding proactively based on perceived risks rather than actual conduct.

Infrastructure initially designed to combat terrorism now often serves to monitor street-level protests, with virtual investigations units targeting demonstrators for scrutiny based on online expression. Fusion centers, funded through DHS grants, have increasingly issued bulletins flagging protest slogans, references to police brutality, and solidarity events as signs of possible violence—disseminating these assessments to law enforcement absent clear evidence of criminal intent.

Surveillance of protesters has included the construction of dossiers (known as “baseball cards”) with analysts using high-tech tools to compile subjects’ social media posts, affiliations, personal networks, and public statements critical of government policy.

Obtained exclusively by WIRED, a DHS dossier on Mahmoud Khalil, the former Columbia graduate student and anti-war activist, shows that analysts drew information from Canary Mission, a shadowy blacklist that anonymously profiles critics of Israeli military action and supporters of Palestinian rights.

In federal court Wednesday, a senior DHS official acknowledged that material from Canary Mission had been used to compile more than 100 dossiers on students and scholars, despite the site's ideological slant, mysterious funding, and unverifiable sourcing.

Threat bulletins can also prime officers to anticipate conflict, shaping their posture and decisions on the ground. In the wake of violent 2020 protests, the San Jose Police Department in California cited the “numerous intelligence bulletins” it received from its local regional fusion center, DHS, and the FBI, among others, as central to understanding “the mindset of the officers in the days leading up to and throughout the civil unrest.”

Specific bulletins cited by the SJPD—whose protest response prompted a $620,000 settlement this month—framed the demonstrations as possible cover for “domestic terrorists,” warned of opportunistic attacks on law enforcement and promoted an “unconfirmed report” of U-Haul vans purportedly being used to ferry weapons and explosives.

Subsequent reporting in the wake of BlueLeaks—a 269-gigabyte dump of internal police documents obtained by a source identifying as the hacktivist group Anonymous and published by transparency group Distributed Denial of Secrets—found federal bulletins riddled with unverified claims, vague threat language, and outright misinformation, including alerts about a parody website that supposedly paid protesters and accepted bitcoin to set cars on fire, despite a clear banner labeling the site “FAKE.”

Threat alerts—unclassified and routinely accessible to the press—can help law enforcement shape public perception of protests before they begin, laying the groundwork to legitimize aggressive police responses. Unverified DHS warnings about domestic terrorists infiltrating demonstrations in 2020, publicly echoed by the agency’s acting secretary on Twitter, were widely circulated and amplified in media coverage.

Americans are generally opposed to aggressive protest crackdowns, but when they do support them, fear is often the driving force. Experimental research suggests that support for the use of coercive tactics hinges less on what protesters actually do than on how they’re portrayed—by officials, the media, and through racial and ideological frames.

DHS Tells Police That Common Protest Activities Are ‘Violent Tactics’

Digital fingerprinting technology creates detailed user profiles by combining device data with location and demographics, which increases the risks of surveillance.

Digital Fingerprints Test Privacy Concerns in 2025

eSIMs around the world may be fundamentally vulnerable to physical and network attacks because of a 6-year-old Oracle vulnerability in technology that underlies billions of cards.

eSIM Bug in Millions of Phones Enables Spying, Takeover

Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.

Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-25xr-qj8w-c4vf: Apache Tomcat Coyote vulnerable to Denial of Service via excessive HTTP/2 streams

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections.

This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106.

Users are recommended to upgrade to version 9.0.107, which fixes the issue.

GHSA-4j3c-42xv-3f84: Apache Tomcat Utilities is vulnerable to resource exhaustion when using the APR/Native connector

For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.

Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.

GHSA-wr62-c79q-cv37: Apache Tomcat Catalina is vulnerable to DoS attack through bypassing of size limits

Customers were the first to notice the disruption on the distributor's website when they couldn't place orders online.

Latest News