#git

### Impact Users who: 1. Use the exclusion operator somewhere in their authorization schema. 1. Have configured their SpiceDB server such that `--write-relationships-max-updates-per-call` is bigger than 6500. 1. Issue calls to WriteRelationships with a large enough number of updates that cause the payload to be bigger than what their datastore allows. Users will: 1. Receive a successful response from their `WriteRelationships` call, when in reality that call failed. 2. Receive incorrect permission check results, if those relationships had to be read to resolve the relation involving the exclusion. ### Patches Upgrade to v.145.2. ### Workarounds Set `--write-relationships-max-updates-per-call` to `1000`.

## Summary In impacted versions of Astro using [on-demand rendering](https://docs.astro.build/en/guides/on-demand-rendering/), request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences the most important of which are: - Middleware-based protected route bypass (only via `x-forwarded-proto`) - DoS via cache poisoning (if a CDN is present) - SSRF (only via `x-forwarded-proto`) - URL pollution (potential SXSS, if a CDN is present) - WAF bypass ## Details The `x-forwarded-proto` and `x-forwarded-port` headers are used without sanitization in two parts of the Astro server code. The most important is in the `createRequest()` function. Any configuration, including the default one, is affected: [https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L97](https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/pa...

## Summary A Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the `trailingSlash` configuration option is used. An attacker can inject arbitrary JavaScript code that executes in the victim's browser context by crafting a malicious URL. While this vulnerability only affects the development server and not production builds, it could be exploited to compromise developer environments through social engineering or malicious links. ## Details ### Vulnerability Location https://github.com/withastro/astro/blob/5bc37fd5cade62f753aef66efdf40f982379029a/packages/astro/src/template/4xx.ts#L133-L149 ### Root Cause The vulnerability was introduced in commit `536175528` (PR #12994) , as part of a feature to "redirect trailing slashes on on-demand rendered pages." The feature added a helpful 404 error page in development mode to alert developers of trailing slash mismatches. **Issue**: The `corrected` variable, which is derived from the us...

### Summary It has been found an Insecure Direct Object Reference (IDOR) vulnerability in the FileBrowser application's share deletion functionality. This vulnerability allows any authenticated user with share permissions to delete other users' shared links without authorization checks. The impact is significant as malicious actors can disrupt business operations by systematically removing shared files and links. This leads to denial of service for legitimate users, potential data loss in collaborative environments, and breach of data confidentiality agreements. In organizational settings, this could affect critical file sharing for projects, presentations, or document collaboration. ### Details **Technical Analysis** The vulnerability exists in` /http/share.go` at lines 72-82. The shareDeleteHandler function processes deletion requests using only the share hash without comparing the link.UserID with the current authenticated user's ID (d.user.ID). This missing authorization check e...

## Impact Applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" [expressionInterpreter](https://vega.github.io/vega/usage/interpreter/) is used. 1. Use `vega` in an application that attaches `vega` library and a `vega.View` instance similar to the Vega [Editor](https://github.com/vega/editor) to the global `window` 2. Allow user-defined Vega `JSON` definitions (vs JSON that was is only provided through source code) ## Patches - If using latest Vega line (6.x) - `vega` `6.2.0` / `vega-expression` `6.1.0` / `vega-interpreter` `2.2.1` (if using AST evaluator mode) - If using Vega in a non-ESM environment - ( `vega-expression` `5.2.1` / `1.2.1` (if using AST evaluator mode) ## Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading_ - Do not attach `vega` View instances to global variables, as Vega editor used to do [here](https://github.com/vega/editor/blob/e102355589d23cdd0dbfd607a2cc5...

### Description of Vulnerability: An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users. AWS recommends customers upgrade to the following versions: AWS Go Wrapper to 2025-10-17. ### Source of Vulnerability Report: Allistair Ishmael Hakim [allistair.hakim@gmail.com](mailto:allistair.hakim@gmail.com) ### Affected products & versions: AWS Go Wrapper < 2025-10-17. ### Platforms: MacOS/Windows/Linux

Internet-facing assets like domains, servers, or networked device endpoints are where attackers look first, probing their target’s infrastructure…

A Russian-speaking threat behind an ongoing, mass phishing campaign has registered more than 4,300 domain names since the start of the year. The activity, per Netcraft security researcher Andrew Brandt, is designed to target customers of the hospitality industry, specifically hotel guests who may have travel reservations with spam emails. The campaign is said to have begun in earnest around

In this week’s newsletter, Amy recounts her journey from Halloween festivities to unraveling the story of the 2022 Viasat satellite hack, with plenty of cybersecurity surprises along the way.

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API, which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint.