#git

About Remote Code Execution – Roundcube (CVE-2025-49113) vulnerability. Roundcube is a popular open-source webmail client (IMAP). An authenticated attacker can exploit this vulnerability to execute arbitrary code on the Roundcube Webmail server. The issue is caused by the Deserialization of Untrusted Data (CWE-502). 🔹 On June 1, the vendor released patched versions 1.6.11 and 1.5.10. […]

Trellix exposes SquidLoader malware targeting Hong Kong, Singapore, and Australia's financial service institutions. Learn about its advanced evasion tactics and stealthy attacks.

CloudSEK’s new report uncovers how Chinese cyber syndicates are laundering over $600 million annually in India. Learn about…

Cybersecurity researchers have alerted to a supply chain attack that has targeted popular npm packages via a phishing campaign designed to steal the project maintainers' npm tokens. The captured tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub repositories. The list of affected

eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.

Of those, more than 200 appear to have had outages of services related to patient care following CrowdStrike’s disastrous crash, researchers have revealed.

Plus: Secret IRS data-sharing with ICE, a 20-year-old hackable vulnerability in train brakes, and more.

### Summary The `ConfigCommentParser#parseJSONLikeConfig` API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument. ### Details The regular expression at [packages/plugin-kit/src/config-comment-parser.js:158](https://github.com/eslint/rewrite/blob/bd4bf23c59f0e4886df671cdebd5abaeb1e0d916/packages/plugin-kit/src/config-comment-parser.js#L158) is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with `[^-a-zA-Z0-9/]`. ### PoC ```javascript const { ConfigCommentParser } = require("@eslint/plugin-kit"); const str = `${"A".repeat(1000000)}?: 1 B: 2`; console.log("start") var parser = new ConfigCommentParser(); console.log(parser.parseJSONLikeConfig(str)); console.log("end") // run `npm i @eslint/plugin-kit@0.3.3` and `node attack.js` // then the program will stuck forever with high CPU usage ``` ### Impact This is a Regular Expression Denial of Serv...

It was discovered that the SBOM files generated by melange in apks had file system permissions mode 666: ``` $ apkrane ls https://packages.wolfi.dev/os/x86_64/APKINDEX.tar.gz -P hello-wolfi --full --latest | xargs wget -q -O - | tar tzv 2>/dev/null var/lib/db/sbom drwxr-xr-x root/root 0 2025-06-23 14:17 var/lib/db/sbom -rw-rw-rw- root/root 3383 2025-06-23 14:17 var/lib/db/sbom/hello-wolfi-2.12.2-r1.spdx.json ``` This issue was introduced in commit 1b272db ("Persist workspace filesystem throughout package builds (#1836)") ([v0.23.0](https://github.com/chainguard-dev/melange/releases/tag/v0.23.0)). ### Impact This potentially allows an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a DoS under special circumstances. ### Patches This issue was addressed in melange in e29494b ("fix: tighten up permissions for written SBOM files and signature tarballs (#2086)") ([v0.29.5](https://github...

It was discovered that the ld.so.cache in images generated by apko had file system permissions mode `0666`: ``` bash-5.3# find / -type f -perm -o+w /etc/ld.so.cache ``` This issue was introduced in commit [04f37e2 ("generate /etc/ld.so.cache (#1629)")](https://github.com/chainguard-dev/apko/commit/04f37e2d50d5a502e155788561fb7d40de705bd9)([v0.27.0](https://github.com/chainguard-dev/apko/releases/tag/v0.27.0)). ### Impact This potentially allows a local unprivileged user to add additional additional directories including dynamic libraries to the dynamic loader path. A user could exploit this by placing a malicious library in a directory they control. ### Patches This issue was addressed in apko in [aedb077 ("fix: /etc/ld.so.cache file permissions (#1758)")](https://github.com/chainguard-dev/apko/commit/aedb0772d6bf6e74d8f17690946dbc791d0f6af3) ([v0.29.5](https://github.com/chainguard-dev/apko/releases/tag/v0.29.5)). ### Acknowledgements Many thanks to Cody Harris from [H2O.ai](htt...