#auth

# Summary Affected versions of Better Auth allow an external request to configure `baseURL` when it isn’t defined through any other means. This can be abused to poison the router’s base path, causing all routes to return 404 for all users. This issue is only exploitable when `baseURL` is not explicitly configured (e.g., `BETTER_AUTH_URL` is missing) *and* the attacker is able to make the very first request to the server after startup. In properly configured environments or typical managed hosting platforms, this fallback behavior cannot be reached. # Details A combination of `X-Forwarded-Host` and `X-Forwarded-Proto` is implicitly trusted. This allows the first request to configure baseURL whenever it is not explicitly configured. Here's the code that reads the headers: <img width="631" height="219" alt="headers" src="https://github.com/user-attachments/assets/b3fb0078-a62f-4058-9d0b-4afbd30c4953" /> Here's the call to `getBaseURL()`, the result is assigned to `ctx.baseURL`. <i...

### Summary A DoS can occur that immediately halts the system due to the use of an unsafe function. ### Details According to **RFC 5322**, nested group structures (a group inside another group) are not allowed. Therefore, in lib/addressparser/index.js, the email address parser performs flattening when nested groups appear, since such input is likely to be abnormal. (If the address is valid, it is added as-is.) In other words, the parser flattens all nested groups and inserts them into the final group list. However, the code implemented for this flattening process can be exploited by malicious input and triggers DoS RFC 5322 uses a colon (:) to define a group, and commas (,) are used to separate members within a group. At the following location in lib/addressparser/index.js: https://github.com/nodemailer/nodemailer/blob/master/lib/addressparser/index.js#L90 there is code that performs this flattening. The issue occurs when the email address parser attempts to process the following k...

New York, New York, 1st December 2025, CyberNewsWire

### Summary XSS vulnerability in OAuth callback server allows JavaScript injection through unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication. ### Details **Vulnerable Code:** `spotipy/oauth2.py` lines 1238-1274 (RequestHandler.do_GET) **The Problem:** During OAuth flow, spotipy starts a local HTTP server to receive callbacks. The server reflects the `error` URL parameter directly into HTML without sanitization. **Vulnerable code at line 1255:** ```python status = f"failed ({self.server.error})" ``` **Then embedded in HTML at line 1265:** ```python self._write(f"""<html> <body> <h1>Authentication status: {status}</h1> </body> </html>""") ``` The `error` parameter comes from URL parsing (lines 388-393) without HTML escaping, allowing script injection. **Attack Flow:** 1. User starts OAuth authentication → local server runs on `http://127.0.0.1:8080` 2. Attacker crafts malicious URL: `http://127.0.0.1:8080/?err...

### Impact `CiliumNetworkPolicy`s which use `egress.toGroups.aws.securityGroupsIds` to reference AWS security group IDs that do not exist or are not attached to any network interface may unintentionally allow broader outbound access than intended by the policy authors. In such cases, the toCIDRset section of the derived policy is not generated, which means outbound traffic may be permitted to more destinations than originally intended. ### Patches This issue has been patched in: * Cilium v1.18.4 * Cilium v1.17.10 * Cilium v1.16.17 ### This issue affects: - Cilium v1.18 between v1.18.0 and v1.18.3 inclusive - Cilium v1.17 between v1.17.0 and v1.17.9 inclusive - Cilium v1.16.16 and below ### Workarounds There is no workaround to this issue. ### Acknowledgements The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @SeanEmac for reporting this issue and to @fristonio for the patch. ### For more information If you t...

### Impact In an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows accessing files which might contains credentials, like http://myhots/webapps/xwiki/WEB-INF/xwiki.cfg, http://myhots/webapps/xwiki/WEB-INF/xwiki.properties or http://myhots/webapps/xwiki/WEB-INF/hibernate.cfg.xml. ### Patches This has been patched in 16.10.11, 17.4.4, 17.7.0. ### Workarounds The workaround is to modify the start_xwiki.sh script following https://github.com/xwiki/xwiki-platform/compare/8b68d8a70b43f25391b3ee48477d7eb71b95cf4b...99a04a0e2143583f5154a43e02174155da7e8e10. ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org) ### Attribution Vulnerability reported by Joseph Huber.

Coupang confirms a data breach affecting 33.7 million users in South Korea, exposing names, contacts and order details. Investigation is ongoing.

India's telecommunications ministry has reportedly asked major mobile device manufacturers to preload a government-backed cybersecurity app named Sanchar Saathi on all new phones within 90 days. According to a report from Reuters, the app cannot be deleted or disabled from users' devices. Sanchar Saathi, available on the web and via mobile apps for Android and iOS, allows users to report

Swiss and German police shut down Cryptomixer, seizing servers, domains and 28M dollars in Bitcoin during an Europol backed action targeting crypto laundering.

Albiriox now targets over 400 financial apps and lets criminals operate your phone almost exactly as if it were in their hands.