Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-f83f-xpx7-ffpw: Fulcio allocates excessive memory during token parsing

Function [identity.extractIssuerURL](https://github.com/sigstore/fulcio/blob/main/pkg/identity/issuerpool.go#L44-L45) currently splits (via a call to [strings.Split](https://pkg.go.dev/strings#Split)) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to `extractIssuerURL` incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: [CWE-405: Asymmetric Resource Consumption (Amplification)](https://cwe.mitre.org/data/definitions/405.html) Details See [identity.extractIssuerURL](https://github.com/sigstore/fulcio/blob/main/pkg/identity/issuerpool.go#L44-L45) Impact Excessive memory allocation

ghsa
Open in Source
#vulnerability#git#auth
GHSA-mp85-7mrq-r866: Envoy crashes when JWT authentication is configured with the remote JWKS fetching

### Summary Envoy crashes when JWT authentication is configured with the remote JWKS fetching, `allow_missing_or_failed` is enabled, multiple JWT tokens are present in the request headers and the JWKS fetch fails. ### Details This is caused by a re-entry bug in the `JwksFetcherImpl`. When the first token's JWKS fetch fails, `onJwksError()` callback triggers processing of the second token, which calls fetch() again on the same fetcher object. The original callback's reset() then clears the second fetch's state (`receiver_ and request_`) which causes a crash when the async HTTP response arrives. ### PoC * `allow_missing_or_failed` or `allow_missing` is enabled * The client send 2 Authorization headers * the remote JWKS fetching failed * There will be crash ### Impact DoS and Crash ### Mitigation * Disable the `allow_missing_or_failed` or `allow_missing`

Zero-Click Agentic Browser Attack Can Delete Entire Google Drive Using Crafted Emails

A new agentic browser attack targeting Perplexity's Comet browser that's capable of turning a seemingly innocuous email into a destructive action that wipes a user's entire Google Drive contents, findings from Straiker STAR Labs show. The zero-click Google Drive Wiper technique hinges on connecting the browser to services like Gmail and Google Drive to automate routine tasks by granting them

PromptPwnd Vulnerability Exposes AI driven build systems to Data Theft

Aikido Security exposes a new AI prompt injection flaw in GitHub/GitLab pipelines, letting attackers steal secrets. Major companies affected.

CISA Reports PRC Hackers Using BRICKSTORM for Long-Term Access in U.S. Systems

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of a backdoor named BRICKSTORM that has been put to use by state-sponsored threat actors from the People's Republic of China (PRC) to maintain long-term persistence on compromised systems. "BRICKSTORM is a sophisticated backdoor for VMware vSphere and Windows environments," the agency said. "

SMS Phishers Pivot to Points, Taxes, Fake Retailers

China-based phishing groups blamed for non-stop scam SMS messages about a supposed wayward package or unpaid toll fee are promoting a new offering, just in time for the holiday shopping season: Phishing kits for mass-creating fake but convincing e-commerce websites that convert customer payment card data into mobile wallets from Apple and Google. Experts say these same phishing groups also are now using SMS lures that promise unclaimed tax refunds and mobile rewards points.

GHSA-8wvc-869r-xfqf: Open WebUI Vulnerable to Stored DOM XSS via Note 'Download PDF'

## Summary A **Stored XSS vulnerability** has been discovered in Open-WebUI's Notes PDF download functionality. An attacker can import a Markdown file containing malicious SVG tags into Notes, allowing them to **execute arbitrary JavaScript code** and **steal session tokens** when a victim downloads the note as PDF. This vulnerability can be exploited by **any authenticated user**, and unauthenticated external attackers can steal session tokens from users (both admin and regular users) by sharing specially crafted markdown files. ## Details ### Vulnerability Location **File:** `src/lib/components/notes/utils.ts` **Function:** `downloadPdf()` **Vulnerable Code (Line 35):** ```typescript const contentNode = document.createElement('div'); contentNode.innerHTML = html; // Direct assignment without DOMPurify sanitization node.appendChild(contentNode); document.body.appendChild(node); ``` ### Root Cause 1. **Incomplete TipTap Editor Configuration** - Open-WebUI only uses ...

GHSA-4f99-4q7p-p3gh: Logrus is vulnerable to DoS when using Entry.Writer()

A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is closed, leaving Writer() unusable and causing application unavailability (DoS). This affects versions < 1.8.3, 1.9.0, and 1.9.2. The issue is fixed in 1.8.3, 1.9.1, and 1.9.3+, where the input is chunked and the writer continues to function even if an error is logged.