Latest News

A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine, potentially resulting in the Vault server to become unresponsive. This vulnerability, CVE-2025-6203, is fixed in Vault Community Edition 1.20.3 and Vault Enterprise 1.20.3, 1.19.9, 1.18.14, and 1.16.25.

Three federal agencies were parties to a global security advisory this week warning about the extensive threat posed by Chinese nation-state actors targeting network devices.

### Summary It is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the [specification](https://github.com/jljusten/LZMA-SDK/blob/master/DOC/lzma-specification.txt). Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. ### Mitigations The release v0.5.14 includes following mitigations: - The ReaderConfig DictCap field is now interpreted as a limit for the dictionary size. - The default is 2 Gigabytes (2^31 bytes). - Users can check with the [Reader.Header] method what the actual values are in their LZMA files and set a smaller limit using ReaderConfig. - The dictionary size will not ...

### Summary If users log in to Coder via OIDC, and the OpenID Identity Provider does not return a refresh token, then Coder may allow their web session to continue beyond the expiration of the token returned by the OpenID Identity Provider. ### Details When a user logs in via OIDC, Coder stores the OIDC token and refresh token (if any) in its datastore and sets an APIKey in the user's cookies. If there is a refresh token, then when the OIDC token is expired and a request is made with the APIKey, we attempt to refresh the OIDC token. If refresh fails, the Coder API request is also failed and the user needs to log in again. However, if there is no refresh token provided, then affected versions of Coder fail to enforce the expiry of the OIDC token, and allow users to make API requests even if it is expired so long as their APIKey stored in cookies has not expired. Coder APIKeys have an expiry and lifetime of 24 hours, but Coder is configured to extend the lifetime of the APIKey by up t...

The credit reporting agency said the breach was "limited to specific data elements" and didn't include credit reports or core credit information.

CISA has added three actively exploited vulnerabilities in Citrix and Git to its KEV Catalogue. Federal agencies must…

Many familiar faces made Flashpoint's 2025 midyear ransomware report, as well as new gangs, which are increasingly using AI.

**What is the version information for this release?** Microsoft Edge Version Date Released Based on Chromium Version 139.0.3405.125 8/28/2025 139.0.7258.154/.155

One of the most sophisticated supply chain attacks to date caused immense amounts of data to leak to the Web in a matter of hours.

This week, Joe encourages you to find your community in cybersecurity and make the effort to grow, network and hack stuff together.