#git

Cybercrime has stopped being a problem of just the internet — it’s becoming a problem of the real world. Online scams now fund organized crime, hackers rent violence like a service, and even trusted apps or social platforms are turning into attack vectors. The result is a global system where every digital weakness can be turned into physical harm, economic loss, or political

Rob Leathern and Rob Goldman, who both worked at Meta, are launching a new nonprofit that aims to bring transparency to an increasingly opaque, scam-filled social media ecosystem.

This blog demonstrates a proof of concept using LangChain and OpenAI, integrated with Cisco Umbrella API, to provide AI agents with real-time threat intelligence for evaluating domain dispositions.

New data shows hackers targeted UK water systems five times since 2024, raising concerns about critical infrastructure defenses worldwide.

For the past week, domains associated with the massive Aisuru botnet have repeatedly usurped Amazon, Apple, Google and Microsoft in Cloudflare's public ranking of the most frequently requested websites. Cloudflare responded by redacting Aisuru domain names from their top websites list. The chief executive at Cloudflare says Aisuru's overlords are using the botnet to boost their malicious domain rankings, while simultaneously attacking the company's domain name system (DNS) service.

# Summary Prior to `langgraph-checkpoint` version `3.0` , LangGraph’s `JsonPlusSerializer` (used as the default serialization protocol for all checkpointing) contains a remote code execution (RCE) vulnerability when deserializing payloads saved in the `"json"` serialization mode. If an attacker can cause your application to persist a payload serialized in this mode, they may be able to also send malicious content that executes arbitrary Python code during deserialization. Upgrading to version langgraph-checkpoint `3.0` patches this vulnerability by preventing deserialization of custom objects saved in this mode. If you are deploying in `langgraph-api`, any version `0.5` or later is also free of this vulnerability. # Details **Affected file / component** [jsonplus.py](https://github.com/langchain-ai/langgraph/blob/c5744f583b11745cd406f3059903e17bbcdcc8ac/libs/checkpoint/langgraph/checkpoint/serde/jsonplus.py) By default, the serializer attempts to use `"msgpack"` for serializat...

### Impact A Server-Side Request Forgery (SSRF) vulnerability in the file upload functionality when trying to upload a `Parse.File` with `uri` parameter allows to execute an arbitrary URI. The vulnerability stems from a file upload feature in which Parse Server retrieves the file data from a URI that is provided in the request. A request to the provided URI is executed, but the response is not stored in Parse Server's file storage as the server crashes upon receiving the response. ### Patches The feature has been implemented in Parse Server 4.2.0 but never worked and reliably crashes the server when trying to use it due to a bug in its implementation. Since the feature is not currently working, and due to its risky nature, it has been removed to address the vulnerability. ### Workarounds None.

### Summary ZITADEL's Organization V2Beta API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users with specific **administrator** roles within one organization to access and modify data belonging to **other** organizations. ### Impact ZITADEL's Organization V2Beta API, intended for managing ZITADEL organizations, contains multiple endpoints that fail to properly authorize authenticated users. An attacker with an administrator role for a specific organization could exploit this to bypass access controls and perform unauthorized actions on other organizations within the same ZITADEL instance. This could allow an attacker to: - **Read** organization data, including the name, domains and metadata. - **Manipulate** (modify) the corresponding organization data. - **Delete** the corresponding data, up to and including the entire organization. Note that this vulnerability is limited to organization-level data (name, domains, metadata). **No oth...

### Summary Weblate leaks the IP address of the project member inviting the user to the project in the audit log. ### Details The audit log included IP addresses from admin-triggered actions, and those could be viewed by invited users. ### Impact The inviting user's (admin's) IP address could be leaked to invited users.

### Impact ### youki’s apparmor handling performs insufficiently strict write-target validation, which—combined with path substitution during pathname resolution—can allow writes to unintended procfs locations. **Weak write-target check** youki only verifies that the destination lies somewhere under procfs. As a result, a write intended for `/proc/self/attr/apparmor/exec` can succeed even if the path has been redirected to `/proc/sys/kernel/hostname`(which is also in procfs). **Path substitution** While resolving a path component-by-component, a shared-mount race can substitute intermediate components and redirect the final target. This is a different project, but the core logic is similar to the CVE in runc. Issues were identified in runc, and verification was also conducted in youki to confirm the problems. https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm ### Credits ### Thanks to Li Fubang (@lifubang from acmcoder.com, CIIC) and Tõnis Tiigi (@toni...