#git

### Summary A Server-Side Request Forgery (SSRF) filter bypass vulnerability exists in the webhook URL validation of the Secret Requests feature. The application attempts to block internal/private IP addresses but can be bypassed using DNS rebinding (e.g., `localtest.me` which resolves to `127.0.0.1`) or open redirect services (e.g., `httpbin.org/redirect-to`). This allows an authenticated user to make the server initiate HTTP requests to internal network resources. ### Details The vulnerability exists in the `isPublicUrl` function located in `/api/lib/utils.ts`. The function validates webhook URLs against a blocklist of private IP patterns: ```typescript export const isPublicUrl = (url: string): boolean => { const parsed = new URL(url); const hostname = parsed.hostname.toLowerCase(); const blockedPatterns = [ /^localhost$/, /^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/, /^192\.168\.\d{1,3}\.\d{1,3}$/, // ... other patterns ]; return...

Check Point researchers found a phishing scam abusing Google Cloud to target organisations worldwide. Scammers use official domains to steal logins. Read the full details in this exclusive report.

KrebsOnSecurity.com celebrates its 16th anniversary today! A huge "thank you" to all of our readers -- newcomers, long-timers and drive-by critics alike. Your engagement this past year here has been tremendous and truly a salve on a handful of dark days. Happily, comeuppance was a strong theme running through our coverage in 2025, with a primary focus on entities that enabled complex and globally-dispersed cybercrime services.

Crypto phishing scams surged 83% in 2025, targeting wallets with fake sites, approval tricks, and poisoned addresses. One click can drain your funds.

Over 87,000 MongoDB instances are at risk from a critical memory leak called MongoBleed. Following the chaos at Ubisoft, see how this zero-password flaw works and how to protect your data.

### Summary An unsafe deserialization vulnerability allows an attacker to execute arbitrary code on the host when loading a malicious pickle payload from an untrusted source. ### Details The `numpy.f2py.crackfortran` module exposes many functions that call `eval` on arbitrary strings of values. This is the case for `getlincoef` and `_eval_length`. This list is probably not exhaustive. According to https://numpy.org/doc/stable/reference/security.html#advice-for-using-numpy-on-untrusted-data, the whole `numpy.f2py` should be considered unsafe when loading a pickle. ### PoC ```python from numpy.f2py.crackfortran import getlincoef class EvilClass: def __reduce__(self): payload = "__import__('os').system('echo \"successful attack\"')" return getlincoef, (payload, []) ``` ### Impact Who is impacted? Any organization or individual relying on `picklescan` to detect malicious pickle files from untrusted sources. What is the impact? Attackers can embed malicious code...

### Summary The vulnerability allows malicious actors to bypass PickleScan's unsafe globals check, leading to potential arbitrary code execution. The issue stems from the absence of the `pty` library (more specifically, of the `pty.spawn` function) from PickleScan's list of unsafe globals. This vulnerability allows attackers to disguise malicious pickle payloads within files that would otherwise be scanned for pickle-based threats. ### Details For 2025's [HeroCTF](https://heroctf.fr/), there was a challenge named Irreductible 2 where players would need to bypass the latest versions of PickleScan and [Fickling](https://github.com/trailofbits/fickling/) to gain code execution. The challenge [writeup](https://github.com/HeroCTF/HeroCTF_v7/blob/master/Misc/Irreductible-2/README.md), [files](https://github.com/HeroCTF/HeroCTF_v7/tree/master/Misc/Irreductible-2) and [solve script](https://github.com/HeroCTF/HeroCTF_v7/blob/master/Misc/Irreductible-2/solve.py) have all been released. The i...

### Summary Using pty.spawn, which is a built-in python library function to execute arbitrary commands on the host system. ### Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to `pty.spawn` function in the `__reduce__` method. Then the victim attempts to use picklescan to scan the pickle file for issues and sees this - ``` ----------- SCAN SUMMARY ----------- Scanned files: 1 Infected files: 0 Dangerous globals: 0 ``` The victim proceeds to load the pickle file and execute attacker-injected arbitrary code. ### PoC ``` class PtyExploit: def __reduce__(self): return (pty.spawn, (["/bin/sh", "-c", "id; exit"],)) ``` ### Impact **Who is impacted?** Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. **What is the impact?** Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded. **Supply Chain Attack**: ...

### Summary Currently picklescanner only blocks some specific functions of the pydoc and operator modules. Attackers can use other functions within these allowed modules to go through undetected and achieve RCE on the final user. Particularly * pydoc.locate: Can dynamically resolve and import arbitrary modules (e.g., resolving the string "os" to the actual os module). * operator.methodcaller: Allows executing a method on an object. When combined with a resolved module object, it can execute functions like system. Since locate and methodcaller are not explicitly listed in the deny-list, picklescan treats them as "Safe" or "Suspicious" (depending on configuration) but does not flag them as "Dangerous", allowing the malicious file to bypass the security check. ### PoC use the provided script to create a malicious pickle file ```python import pickle import pydoc import operator import os class ModuleLocator: def __init__(self, module_name): self.module_name = module_name ...

### Summary Picklescan doesnt flag ctypes module as a dangerous module, which is a huge issue. ctypes is basically a foreign function interface library and can be used to * Load DLLs * Call C functions directly * Manipulate memory raw pointers. This can allow attackers to achieve RCE by invoking direct syscalls without going through blocked modules. Another major issue that ctypes being allowed presents is that it can be used down the line to dismantle interpreter based python sandboxes as ctypes allow direct access to raw memory. This is a more severe loophole than normal gadget chains and bypasses as raw memory access can be used for a lot of nefarious purposes down the line if left undetected ### PoC ```python import pickle import ctypes import operator class Kernel32Loader: def __reduce__(self): #we go direct to the kerneeellllllll return (ctypes.WinDLL, ("kernel32.dll",)) class WinExecGetter: def __reduce__(self): return (operator.itemgetter("W...