#git

## Summary Arbitrary Remote Code Execution on development server via unsafe dynamic imports in `@vitejs/plugin-rsc` server function APIs (`loadServerAction`, `decodeReply`, `decodeAction`) when integrated into RSC applications that expose server function endpoints. ## Impact Attackers with network access to the development server can execute arbitrary JavaScript code with Node.js privileges, allowing them to read/modify files, exfiltrate sensitive data (source code, environment variables, credentials), or pivot to other internal services. While this affects development servers only, the risk increases when using `vite --host` to expose the server on all network interfaces. ## Details In the example RSC application provided in Proof of Concept, the server handles server function call through API such as `loadServerAction`, `decodeReply`, `decodeAction` with http request's header and body as inputs: https://github.com/vitejs/vite-plugin-react/blob/c8af971f57f12d0190d7fd8829a429f5e...

The matrix-sdk-base crate is unable to handle responses that include custom m.room.join_rules values due to a serialization bug. This can be exploited to cause a denial-of-service condition, if a user is invited to a room with non-standard join rules, the crate's sync process will stall, preventing further processing for all rooms. ### Patches The issue is fixed in matrix-sdk-base 0.16.0. ### Workarounds Users can leave affected rooms on another client to mitigate the issue. ### References The issue was fixed in https://github.com/matrix-org/matrix-rust-sdk/pull/5924.

### Summary Ruby-saml up to and including 1.12.4, there is an authentication bypass vulnerability because of an issue at libxml2 canonicalization process used by Nokogiri for document transformation. That allows an attacker to be able to execute a Signature Wrapping attack. The vulnerability does not affect the version 1.18.0. ### Details When libxml2’s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. ruby-saml then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded. ### Impact 1. Digest bypass: By crafting input that causes canonicalization to yield an empty string, the attacker can manipulate validation to pass incorrectly. 2. Signature replay on empty canonical form: If an empty string has been signed once (e.g., in a prior interaction or via a misconfigured flow), that signature can potentially be replayed to bypass authentication.

### Summary Ruby-saml up to and including 1.12.4, there is an authentication bypass vulnerability because of an incomplete fix for CVE-2025-25292. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. The vulnerability does not affect the version 1.18.0. ### Impact That allows an attacker to be able to execute a Signature Wrapping attack and bypass the authentication

### Impact The n8n Git node allows workflows to set arbitrary Git configuration values through the _Add Config_ operation. When an attacker-controlled workflow sets `core.hooksPath` to a directory within the cloned repository containing a Git hook such as `pre-commit`, Git executes that hook during subsequent Git operations. Because Git hooks run as local system commands, this behavior can lead to **arbitrary command execution** on the underlying n8n host. Successful exploitation requires the ability to create or modify an n8n workflow that uses the Git node. Affected versions: **≥ 0.123.1 and < 1.119.2** ### Patches This issue has been patched in **n8n version 1.119.2**. All users running affected versions should upgrade to **1.119.2 or later**. ### Workarounds If upgrading is not immediately possible, the following mitigations can reduce exposure: - Exclude the Git node ([Docs](https://n8n-docs.teamlab.info/hosting/securing/blocking-nodes/#exclude-nodes)). - Avoid cloning or...

ChrimeraWire is a new Windows trojan that automates web browsing through Chrome to simulate user activity and manipulate search engine rankings.

### Summary An authentication bypass vulnerability exists due to a flaw in the libxml2 canonicalization process, which is used by [xmlseclibs](https://github.com/robrichards/xmlseclibs) during document transformation. This weakness allows an attacker to generate a valid signature once and reuse it indefinitely. In practice, a signature created during a previous interaction - or through a misconfigured authentication flow - can be replayed to bypass authentication checks. ### Details When libxml2’s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. [xmlseclibs](https://github.com/robrichards/xmlseclibs) then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded. https://github.com/robrichards/xmlseclibs/blob/f4131320c6dcd460f1b0c67f16f8bf24ce4b5c3e/src/XMLSecurityDSig.php#L296 ### Impact Digest bypass: By crafting input that causes canonicalization to yield an empty st...

## Summary Critical security vulnerabilities exist in both the `UUIDv4()` and `UUID()` functions of the `github.com/gofiber/utils` package. When the system's cryptographic random number generator (`crypto/rand`) fails, both functions silently fall back to returning predictable UUID values, including the zero UUID `"00000000-0000-0000-0000-000000000000"`. This compromises the security of all Fiber applications using these functions for security-critical operations. **Both functions are vulnerable to the same root cause (`crypto/rand` failure):** - `UUIDv4()`: Indirect vulnerability through `uuid.NewRandom()` → `crypto/rand.Read()` → fallback to `UUID()` - `UUID()`: Direct vulnerability through `crypto/rand.Read(uuidSeed[:])` → silent zero UUID return ## Vulnerability Details ### Affected Functions - **Package**: `github.com/gofiber/utils` - **Functions**: `UUIDv4()` and `UUID()` - **Return Type**: `string` (both functions) - **Locations**: `common.go:93-99` (UUIDv4), `common.go:60-8...

### Summary The server trusts all reverse-proxy headers by default, so any remote client can spoof `X-Forwarded-For` to bypass IP-based protections (AllowIPs, API IP whitelist, “localhost-only” checks). All IP-based access control becomes ineffective. ### Details - Gin is created with defaults (`gin.Default()`), which sets `TrustedProxies = 0.0.0.0/0` and uses `X-Forwarded-For`/`X-Real-IP` to compute `ClientIP()`. - IP-based controls rely on `ClientIP()`: - AllowIPs / BindDomain (core/middleware/ip_limit.go, core/utils/security/security.go). - API IP whitelist (core/middleware/api_auth.go). - "localhost-only" checks that depend on `ClientIP()`. - Because no trusted-proxy range is enforced, any client can send `X-Forwarded-For: 127.0.0.1` (or a whitelisted IP) and be treated as coming from that address. ### Impact All IP-based access control is rendered ineffective: remote clients can masquerade as localhost or any whitelisted IP, defeating AllowIPs, API IP whitelists, a...

## Impact There is a potential vulnerability in Traefik NGINX provider managing the `nginx.ingress.kubernetes.io/proxy-ssl-verify` annotation. The provider inverts the semantics of the `nginx.ingress.kubernetes.io/proxy-ssl-verify` annotation. Setting the annotation to `"on"` (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. ## Patches - https://github.com/traefik/traefik/releases/tag/v3.6.3 ## For more information If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues). <details> <summary>Original Description</summary> ### Summary A logic error in Traefik's experimental ingress-nginx provider inverts the semantics of the `nginx.ingress.kubernetes.io/proxy-ssl-verify` annotation. Setting the annotation to `"on"` (intending to enable backend TLS certificate verification)...