Security
Headlines
HeadlinesLatestCVEs

Tag

#git

Gcore Radar Report Reveals 41% Surge in DDoS Attack Volumes

Luxembourg, Luxembourg, 25th September 2025, CyberNewsWire

HackRead
Open in Source
#vulnerability#web#ddos#git
GHSA-8mjq-32x3-22qf: Duplicate Advisory: Malicious versions of Nx were published

## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-cxm3-wv7p-598c. This link is maintained to preserve external references. ## Original Description Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts.

GHSA-xph5-278p-26qx: lobe-chat has an Open Redirect

### **Description** --- > Vulnerability Overview > The project's OIDC redirect handling logic constructs the host and protocol of the final redirect URL based on the X-Forwarded-Host or Host headers and the X-Forwarded-Proto value. In deployments where a reverse proxy forwards client-supplied X-Forwarded-* headers to the origin as-is, or where the origin trusts them without validation, an attacker can inject an arbitrary host and trigger an open redirect that sends users to a malicious domain. > Vulnerable Code Analysis > ```bash const internalRedirectUrlString = await oidcService.getInteractionResult(uid, result); log('OIDC Provider internal redirect URL string: %s', internalRedirectUrlString); let finalRedirectUrl; try { finalRedirectUrl = correctOIDCUrl(request, new URL(internalRedirectUrlString)); } catch { finalRedirectUrl = new URL(internalRedirectUrlString); log('Warning: Could not parse redirect URL, using as-is: %s', internalRedirectUrlString); } return NextResp...

GHSA-4j5h-mvj3-m48v: Star Citizen EmbedVideo Extension Stored XSS through wikitext caused by usage of non-reserved data attributes

### Summary The EmbedVideo extension allows adding arbitrary attributes to an HTML element, allowing for stored XSS through wikitext. ### Details The attributes of an iframe are populated with the value of an unreserved data attribute (`data-iframeconfig`) that can be set via wikitext: https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/blob/440fb331a84b2050f4cc084c1d31d58a1d1c202d/resources/ext.embedVideo.videolink.js#L5-L20 Similar code is also present here: https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/blob/440fb331a84b2050f4cc084c1d31d58a1d1c202d/resources/modules/iframe.js#L139-L155 It is possible to execute JS through attributes like `onload` or `onmouseenter`. ### PoC 1. Create a page with the following contents: ```html <div class="embedvideo-evl" data-iframeconfig='{"onload": "alert(1)"}'>Click me!</div> <evlplayer></evlplayer> ``` 2. Click on the "Click me!" text 3. Click on the "Load video" button below <img width="855" height="404" a...

GHSA-xh92-rqrq-227v: Mastra Docs MCP Server `@mastra/mcp-docs-server` Leads to Information Exposure

The Mastra Docs MCP Server package `@mastra/mcp-docs-server` is a server designed to provide documentation context to AI agentic workflows, such as those used in AI-powered IDEs. **Resources:** * Package URL: [https://www.npmjs.com/package/@mastra/mcp-docs-server](https://www.npmjs.com/package/@mastra/mcp-docs-server) ----- ## Overview The `@mastra/mcp-docs-server` package in versions **0.13.18 and below** is vulnerable to a Directory Traversal attack that results in the disclosure of directory listings. The code contains a security check to prevent path traversal for reading file contents, but this check is effectively bypassed by subsequent logic that attempts to find directory suggestions. An attacker can leverage this flaw to list the contents of arbitrary directories on the user's filesystem, including the user's home directory, exposing sensitive information about the file system's structure. ----- ## Vulnerability The tool's code attempts to prevent path traversal with...

GHSA-54j7-grvr-9xwg: Command Injection in adb-mcp MCP Server

# Command Injection in adb-mcp MCP Server The MCP Server at https://github.com/srmorete/adb-mcp is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. The MCP Server is also published publicly to npm at www.npmjs.com/package/adb-mcp and allows users to install it. ## Vulnerable tool The MCP Server defines the function `executeAdbCommand()` which executes commands via string as a parameter and wraps the promise-based `exec` function. The MCP Server then exposes the tool `inspect_ui` which relies on Node.js child process API `exec` (through the function wrapper) to execute the Android debugging command (`adb`). Relying on `exec` is an unsafe and vulnerable API if concatenated with untrusted user input. Data flows from the tool definition [here](https://github.com/srmorete/adb-mcp/blob/master/src/index.ts#L334-L343) which takes in `args.device` and calls `execPromise()` in [this definiti...

GHSA-2jjv-qf24-vfm4: Claude Code Vulnerable to Arbitrary Code Execution via Plugin Autoloading with Specific Yarn Versions

When using Claude Code with Yarn versions 2.0+, Yarn plugins are auto-executed when running `yarn --version`. This could lead to a bypass of the directory trust dialog in Claude Code, as plugins would be executed prior to the user accepting the risks of working in an untrusted directory. Users running Yarn Classic were unaffected by this issue. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version. Thank you to https://hackerone.com/michel_ for reporting this issue!

GHSA-hqrf-67pm-wgfq: Omni Wireguard SideroLink potential escape

## Overview Omni and each Talos machine establish a peer-to-peer (P2P) SideroLink connection using WireGuard to mutually authenticate and authorize access. In this setup, Omni assigns a random IPv6 address to each Talos machine from a `/64` network block. Omni itself uses the fixed `::1` address within that same block. From Omni's perspective, this is a WireGuard interface with multiple peers, where each peer corresponds to a Talos machine. The WireGuard interface on Omni is configured to ensure that the **source IP address** of an incoming packet matches the IPv6 address assigned to the Talos peer. However, it **performs no validation on the packet's destination address**. The Talos end of the SideroLink connection cannot be considered a trusted environment. Workloads running on Kubernetes, especially those configured with host networking, could gain direct access to this link. Therefore, a malicious workload could theoretically send arbitrary packets over the SideroLink interface...

GHSA-6xv4-9cqp-92rh: messageformat prototype pollution vulnerability

The Runtime components of messageformat package for Node.js prior to version 3.0.1 contain a prototype pollution vulnerability. Due to insufficient validation of nested message keys during the processing of message data, an attacker can manipulate the prototype chain of JavaScript objects by providing specially crafted input. This can result in the injection of arbitrary properties into the Object.prototype, potentially leading to denial of service conditions or unexpected application behavior. The vulnerability allows attackers to alter the prototype of base objects, impacting all subsequent object instances throughout the application's lifecycle. This issue remains unaddressed in the latest available version.

PSF Warns of Fake PyPI Login Site Stealing User Credentials

The Python Software Foundation (PSF) warns developers of phishing emails leading to a fake PyPI login site designed to steal account credentials.