Latest News

### Impact The `ERC7984` contract tracks total supply using a confidential `euint64` value. If a call to the internal `_mint` function would result in the total supply overflowing, the call fails silently. The `wrap` and `onTransferReceived` functions in `ERC7984ERC20Wrapper` assume that `_mint` won't fail silently and do not check the return value. If the mint function fails silently, users do not receive the confidential wrapped token but still send the underlying token, resulting in a loss of funds. By default (without overriding `rate()`, the wrapper fills up after wrapping ~18.4 trillion tokens. There are very few tokens of value with sufficient total supply to result in the filling of the wrapper. That said, we recommend upgrading to `0.3.1` to remove this issue. ### Patches This issue has been patched in the `0.3.1` release.

The function `gix_date::parse::TimeBuf::as_str` can create an illegal string containing non-utf8 characters. This violates the safety invariant of `TimeBuf` and can lead to undefined behavior when consuming the string. The bug can be prevented by adding `str::from_utf8` to the function `TimeBuf::write`.

### Summary A specially crafted nonce routes unauthenticated requests through the NoEncoder path, where `startSessionHandler()` reads the entire request body without limits, allowing attacker-driven memory exhaustion and process crash. ### Details - `server/encoders/encoders.go`: `EncoderFromNonce()` returns NoEncoder when `nonce % 65537 == 0` (lines 254-264); NoEncoder is a passthrough (`util/encoders/nop.go:22-32`). - `server/c2/http.go`: `anonymousHandler()` routes requests with any encoder (including NoEncoder) to `startSessionHandler()` (lines 551-562). - `server/c2/http.go`: `startSessionHandler()` uses `io.ReadAll(req.Body)` without a size cap (lines 564-643), unlike the authenticated path that uses `io.LimitedReader` (`readReqBody()`, lines 708-732). ### PoC An attacker could send an HTTP POST with a nonce that is a multiple of 65537 (e.g., ?q=65537) so it is handled by startSessionHandler() with a NoEncoder, and advertise a very large Content-Length while streaming data. Bec...

### Impact An attacker may inject content with ASCII control characters like vertical tabs, ANSI escape sequences, etc., that can create misleading output of the `badkeys` command-line tool. This impacts scanning DKIM keys (both `--dkim` and `--dkim-dns`), SSH keys (`--ssh-lines` mode), and filenames in various modes. ### Patches This has been fixed with the following commits: https://github.com/badkeys/badkeys/commit/de631f69f040974bb5fb442cdab9a1d904c64087 https://github.com/badkeys/badkeys/commit/635a2f3b1b50a895d8b09ec8629efc06189f349a All users should upgrade `badkeys` to version 0.0.16. ### Resources https://github.com/badkeys/badkeys/issues/40

Two US citizens pleaded guilty to working as ALPHV/BlackCat ransomware affiliates in 2023, and both were previously employed by prominent security firms.

Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Resources: https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7 https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593 https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04 ### Summary This was reported as a vulnerability in Yii framework on August 7th (https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4). The Yii framework team denies responsibility for this (placing the onus on application developers) and hence has not (and seemingly will not) provide a fix at the framework level. Hence, I am reporting this to Craft as I found it to affect the latest (`5.6.0`) version of Craft CMS. Leveraging a legitimate but maliciously crafte...

Unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes. Resources: https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39 https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04 ## Affected Endpoints - `POST /admin/actions/app/migrate` (unauthenticated) - `POST /admin/actions/updater/backup` ## Vulnerability Details ### Root Cause Certain admin actions are explicitly configured with anonymous access: ```php // AppController.php protected array|bool|int $allowAnonymous = [ 'migrate' => self::ALLOW_ANONYMOUS_LIVE | self::ALLOW_ANONYMOUS_OFFLINE, // ... ]; // BaseUpdaterController.php protected array|bool|int $allowAnonymous = self::ALLOW_ANONYMOUS_L...

For this to work, users must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment. https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. References: https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821...

Security experts at Zenity Labs warn that Anthropic’s new agentic browser extension, Claude in Chrome, could bypass traditional web security, exposing private data and login tokens to potential hijackers.

The Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume. Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue. References: https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52 https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04 --- ### Requi...