ghsa

### Impact Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. ### Patches This has been patched in https://github.com/nodejs/undici/pull/4088. ### Workarounds If a webhook fails, avoid keep calling it repeatedly. ### References Reported as: https://github.com/nodejs/undici/issues/3895

**Summary** We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the **Pages Router** under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. [Learn more here](https://vercel.com/changelog/cve-2025-32421) **Credit** Thank you to **Allam Rachid (zhero)** for the responsible disclosure. This research was rewarded as part of our bug bounty program.

### Summary Minting large amount of tokens through ibc transfer and then depositing them in validator rewards pool (via `DepositValidatorRewardsPool` message) can lead to integer overflow panic when calculating `cumulative_reward_ratio` for the validator. This calculation happens in `x/epoching` module `EndBlocker`, thus the panic will halt the chain. ### Impact Denial of Service - Due to panic in the `EndBlocker` Babylon Genesis will halt

### Summary A high vulnerability exists in the Babylon protocol's x/finality module due to a lack of domain separation in signed messages, combined with insufficient validation in the MsgCommitPubRandList handler. Specifically, the handler does not enforce that the submitted Commitment field is 32 bytes long. This allows an attacker to replay a signature originally generated for a different message (e.g., a Proof-of-Possession in MsgCreateFinalityProvider) as a MsgCommitPubRandList. By crafting the message parameters, an attacker can use the typically 20-byte address bytes (from the PoP context) to form the StartHeight, NumPubRand, and a shorter-than-expected Commitment (e.g., 4 bytes). The replayed signature will pass verification for this crafted message, leading to the injection of an invalid PubRand commitment. ### Impact Successful exploitation of this vulnerability, specifically via the PoP signature replay, allows an attacker to store an invalid PubRand commitment (with a non...

Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to check the correct permissions which allows authenticated users who only have permission to invite non-guest users to a team to add guest users to that team via the API to add a single user to a team.

Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to lockout LDAP users following repeated login failures, which allows attackers to lock external LDAP accounts through repeated login failures through Mattermost.

### Summary Stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious scripts into web applications, which can then be executed in the context of other users' browsers. This can lead to unauthorized access to sensitive information, session hijacking, and spreading of malware, impacting user data privacy and application integrity. ### Details A user with rights to modificate the service (e.g. kuiperUser role) can inject XSS Payload into Connection Configuration key `Name` (`confKey`) parameter. Then, after any user with access to this service (e.g. admin) will try to delete this key, a payload will act in victim's browser. ### PoC 1. Authorize as a user with rights to modificate the service (e.g. kuiperUser role). 2. Create a service or go to the existing one and access the *Configuration > Connection* page:  3. Open any existing Connection a...

In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist.

In Jenkins OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables, in conjunction with certain other plugins allowing attackers able to configure jobs to craft a build ID Token that impersonates a trusted job, potentially gaining unauthorized access to external services.

A cross-site request forgery (CSRF) vulnerability in Jenkins Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified username and password.