#git

The issue has been reported by @raefko from @fuzzinglabs. Excerpts from the report: > A critical vulnerability exists in the gnark-crypto library's `Vector.ReadFrom()` function that allows an attacker to trigger arbitrary memory allocation by crafting malicious input data. An attacker can cause the verifier to attempt allocating up to 128 GB of memory with a minimal malicious input, leading to out-of-memory crashes and denial of service. > ### **Root Cause** > > > The vulnerability stems from **unchecked deserialization** of attacker-controlled length fields in the gnark-crypto library's `Vector.ReadFrom()` function. The function reads a 4-byte unsigned integer from untrusted input and directly uses it to allocate memory without any validation or bounds checking. > > ### **Vulnerable Code Path** > > ``` > User Input (Malicious Proof/Data) > ↓ > gnark Proof/Data Deserialization > ↓ > Vector.ReadFrom() (ecc/bn254/fr/vector.go:136-144) > → sliceLen := binary.BigEnd...

### Impact A remote code execution vulnerability exists in the Git Node component available in both Cloud and Self-Hosted versions of n8n. When a malicious actor clones a remote repository containing a pre-commit hook, the subsequent use of the Commit operation in the Git Node can inadvertently trigger the hook’s execution. This allows attackers to execute arbitrary code within the n8n environment, potentially compromising the system and any connected credentials or workflows. All users with workflows that utilize the Git Node to clone untrusted repositories are affected. ### Patches The vulnerability was addressed in v1.113.0 (n8n-io/n8n#19559), which introduces a new environment variable: `N8N_GIT_NODE_DISABLE_BARE_REPOS`. For self-hosted deployments, it is strongly recommended to set this variable to `true` to mitigate the risk of executing malicious Git hooks. ### Workarounds To reduce risk prior to upgrading: - Avoid cloning or interacting with untrusted repositories using th...

Google on Thursday revealed that the scam defenses built into Android safeguard users around the world from more than 10 billion suspected malicious calls and messages every month. The tech giant also said it has blocked over 100 million suspicious numbers from using Rich Communication Services (RCS), an evolution of the SMS protocol, thereby preventing scams before they could even be sent. In

The open-source command-and-control (C2) framework known as AdaptixC2 is being used by a growing number of threat actors, some of whom are related to Russian ransomware gangs. AdaptixC2 is an emerging extensible post-exploitation and adversarial emulation framework designed for penetration testing. While the server component is written in Golang, the GUI Client is written in C++ QT for

Attackers don’t need to hack you to find you. They just piece together what’s already public.

A reminder that one supplier’s breach can ripple far, fueling phishing and ID theft long after the news fades.

Tina Pal wants a word about your PayPal account—but it's a scam. Here’s how to spot the red flags and what to do if you’ve already called.

User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action.

API users via `/api/v2/dagReports` could perform Dag code execution in the context of the api-server if the api-server was deployed in the environment where Dag files were available.

Silent Push wars of Russian hackers exploiting Adaptix, a pentesting tool built for Windows, Linux, and macOS, in ransomware campaigns.