Security
Headlines
HeadlinesLatestCVEs

Tag

#git

China’s Salt Typhoon Hackers Breached the US National Guard for Nearly a Year

Plus: Secret IRS data-sharing with ICE, a 20-year-old hackable vulnerability in train brakes, and more.

Wired
#vulnerability#android#mac#google#git#botnet#auth#zero_day
GHSA-xffm-g5w8-qvg7: @eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser

### Summary The `ConfigCommentParser#parseJSONLikeConfig` API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument. ### Details The regular expression at [packages/plugin-kit/src/config-comment-parser.js:158](https://github.com/eslint/rewrite/blob/bd4bf23c59f0e4886df671cdebd5abaeb1e0d916/packages/plugin-kit/src/config-comment-parser.js#L158) is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with `[^-a-zA-Z0-9/]`. ### PoC ```javascript const { ConfigCommentParser } = require("@eslint/plugin-kit"); const str = `${"A".repeat(1000000)}?: 1 B: 2`; console.log("start") var parser = new ConfigCommentParser(); console.log(parser.parseJSONLikeConfig(str)); console.log("end") // run `npm i @eslint/plugin-kit@0.3.3` and `node attack.js` // then the program will stuck forever with high CPU usage ``` ### Impact This is a Regular Expression Denial of Serv...

GHSA-5662-cv6m-63wh: melange's world-writable permissions expose SBOM files to potential image tampering

It was discovered that the SBOM files generated by melange in apks had file system permissions mode 666: ``` $ apkrane ls https://packages.wolfi.dev/os/x86_64/APKINDEX.tar.gz -P hello-wolfi --full --latest | xargs wget -q -O - | tar tzv 2>/dev/null var/lib/db/sbom drwxr-xr-x root/root 0 2025-06-23 14:17 var/lib/db/sbom -rw-rw-rw- root/root 3383 2025-06-23 14:17 var/lib/db/sbom/hello-wolfi-2.12.2-r1.spdx.json ``` This issue was introduced in commit 1b272db ("Persist workspace filesystem throughout package builds (#1836)") ([v0.23.0](https://github.com/chainguard-dev/melange/releases/tag/v0.23.0)). ### Impact This potentially allows an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a DoS under special circumstances. ### Patches This issue was addressed in melange in e29494b ("fix: tighten up permissions for written SBOM files and signature tarballs (#2086)") ([v0.29.5](https://github...

GHSA-x6ph-r535-3vjw: apko is vulnerable to attack through incorrect permissions in /etc/ld.so.cache and other files

It was discovered that the ld.so.cache in images generated by apko had file system permissions mode `0666`: ``` bash-5.3# find / -type f -perm -o+w /etc/ld.so.cache ``` This issue was introduced in commit [04f37e2 ("generate /etc/ld.so.cache (#1629)")](https://github.com/chainguard-dev/apko/commit/04f37e2d50d5a502e155788561fb7d40de705bd9)([v0.27.0](https://github.com/chainguard-dev/apko/releases/tag/v0.27.0)). ### Impact This potentially allows a local unprivileged user to add additional additional directories including dynamic libraries to the dynamic loader path. A user could exploit this by placing a malicious library in a directory they control. ### Patches This issue was addressed in apko in [aedb077 ("fix: /etc/ld.so.cache file permissions (#1758)")](https://github.com/chainguard-dev/apko/commit/aedb0772d6bf6e74d8f17690946dbc791d0f6af3) ([v0.29.5](https://github.com/chainguard-dev/apko/releases/tag/v0.29.5)). ### Acknowledgements Many thanks to Cody Harris from [H2O.ai](htt...

PoisonSeed Tricking Users Into Bypassing FIDO Keys With QR Codes

PoisonSeed group tricks users into bypassing FIDO Keys by misusing QR code logins, highlighting new social engineering risk to secure MFA.

How China’s Patriotic ‘Honkers’ Became the Nation’s Elite Cyberspies

A new report traces the history of the early wave of Chinese hackers who became the backbone of the state's espionage apparatus.

GHSA-4fwj-8595-wp25: Mattermost has Insufficiently Protected Credentials

Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API.

GHSA-wvw2-3jh4-4c39: Mattermost Path Traversal vulnerability

Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the bulk import JSONL file, which allows a system admin to read arbitrary system files via path traversal.

Years Long Linux Cryptominer Spotted Using Legit Sites to Spread Malware

Cryptominer campaign runs for years using legit sites to spread malware, targeting Linux systems through known bugs and avoiding detection.

GHSA-7h34-9chr-58qh: Mattermost Missing Authentication for Critical Function

Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts.