Tag
#git
Plus: Secret IRS data-sharing with ICE, a 20-year-old hackable vulnerability in train brakes, and more.
### Summary The `ConfigCommentParser#parseJSONLikeConfig` API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument. ### Details The regular expression at [packages/plugin-kit/src/config-comment-parser.js:158](https://github.com/eslint/rewrite/blob/bd4bf23c59f0e4886df671cdebd5abaeb1e0d916/packages/plugin-kit/src/config-comment-parser.js#L158) is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with `[^-a-zA-Z0-9/]`. ### PoC ```javascript const { ConfigCommentParser } = require("@eslint/plugin-kit"); const str = `${"A".repeat(1000000)}?: 1 B: 2`; console.log("start") var parser = new ConfigCommentParser(); console.log(parser.parseJSONLikeConfig(str)); console.log("end") // run `npm i @eslint/plugin-kit@0.3.3` and `node attack.js` // then the program will stuck forever with high CPU usage ``` ### Impact This is a Regular Expression Denial of Serv...
It was discovered that the SBOM files generated by melange in apks had file system permissions mode 666: ``` $ apkrane ls https://packages.wolfi.dev/os/x86_64/APKINDEX.tar.gz -P hello-wolfi --full --latest | xargs wget -q -O - | tar tzv 2>/dev/null var/lib/db/sbom drwxr-xr-x root/root 0 2025-06-23 14:17 var/lib/db/sbom -rw-rw-rw- root/root 3383 2025-06-23 14:17 var/lib/db/sbom/hello-wolfi-2.12.2-r1.spdx.json ``` This issue was introduced in commit 1b272db ("Persist workspace filesystem throughout package builds (#1836)") ([v0.23.0](https://github.com/chainguard-dev/melange/releases/tag/v0.23.0)). ### Impact This potentially allows an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a DoS under special circumstances. ### Patches This issue was addressed in melange in e29494b ("fix: tighten up permissions for written SBOM files and signature tarballs (#2086)") ([v0.29.5](https://github...
It was discovered that the ld.so.cache in images generated by apko had file system permissions mode `0666`: ``` bash-5.3# find / -type f -perm -o+w /etc/ld.so.cache ``` This issue was introduced in commit [04f37e2 ("generate /etc/ld.so.cache (#1629)")](https://github.com/chainguard-dev/apko/commit/04f37e2d50d5a502e155788561fb7d40de705bd9)([v0.27.0](https://github.com/chainguard-dev/apko/releases/tag/v0.27.0)). ### Impact This potentially allows a local unprivileged user to add additional additional directories including dynamic libraries to the dynamic loader path. A user could exploit this by placing a malicious library in a directory they control. ### Patches This issue was addressed in apko in [aedb077 ("fix: /etc/ld.so.cache file permissions (#1758)")](https://github.com/chainguard-dev/apko/commit/aedb0772d6bf6e74d8f17690946dbc791d0f6af3) ([v0.29.5](https://github.com/chainguard-dev/apko/releases/tag/v0.29.5)). ### Acknowledgements Many thanks to Cody Harris from [H2O.ai](htt...
PoisonSeed group tricks users into bypassing FIDO Keys by misusing QR code logins, highlighting new social engineering risk to secure MFA.
A new report traces the history of the early wave of Chinese hackers who became the backbone of the state's espionage apparatus.
Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API.
Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the bulk import JSONL file, which allows a system admin to read arbitrary system files via path traversal.
Cryptominer campaign runs for years using legit sites to spread malware, targeting Linux systems through known bugs and avoiding detection.
Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts.