#git

The digital refuge: Abortion clinics, activist groups, and other organizations are turning to overseas hosting providers willing to keep their data — and their work — safe.

Today we're launching Malwarebytes Tools, a new set of free features designed to give your Windows PC a breath of fresh air.

Wilmington, United States, 4th September 2025, CyberNewsWire

The Quad7 botnet is adding End-of-Life TP-Link routers to its arsenal and using them to steal Microsoft 365 accounts.

A recent report has revealed that many VPNs might allow others to sniff your data—and they're not being honest about who's behind them.

"This is entirely false" said Google about recent rumors of a widespread attack on Google users.

### Summary [Python class pollution](https://blog.abdulrah33m.com/prototype-pollution-in-python/) is a novel vulnerability categorized under [CWE-915](https://cwe.mitre.org/data/definitions/915.html). The `Delta` class is vulnerable to class pollution via its constructor, and when combined with a gadget available in DeltaDiff itself, it can lead to Denial of Service and Remote Code Execution (via insecure [Pickle](https://docs.python.org/3/library/pickle.html) deserialization). The gadget available in DeepDiff allows `deepdiff.serialization.SAFE_TO_IMPORT` to be modified to allow dangerous classes such as `posix.system`, and then perform insecure Pickle deserialization via the Delta class. This potentially allows any Python code to be executed, given that the input to `Delta` is user-controlled. Depending on the application where DeepDiff is used, this can also lead to other vulnerabilities. For example, in a web application, it might be possible to bypass authentication via class po...

### Impact The attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid usernames, after which an attacker could attempt brute force attacks. ### Patches This vulnerability has been patched, implementing a timing-safe form login authenticator that ensures consistent response times regardless of whether a user exists or not. ### Technical Details The vulnerability was caused by different response times when: - A valid username was provided (password hashing occurred) - An invalid username was provided (no password hashing occurred) The fix introduces a `TimingSafeFormLoginAuthenticator` that performs a dummy password hash verification even for non-existent users, ensuring consistent timing. ### Workarounds No workarounds are available. Users should upgrade to the patched version. ### References - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Manag...

### Summary A flaw in the `getPath` utility function could allow path confusion and potential bypass of proxy-level ACLs (e.g. Nginx location blocks). ### Details The original implementation relied on fixed character offsets when parsing request URLs. Under certain malformed absolute-form Request-URIs, this could lead to incorrect path extraction. Most standards-compliant runtimes and reverse proxies reject such malformed requests with a 400 Bad Request, so the impact depends on the application and environment. ### Impact If proxy ACLs are used to protect sensitive endpoints such as `/admin`, this flaw could have allowed unauthorized access. The confidentiality impact depends on what data is exposed: if sensitive administrative data is exposed, the impact may be High (CVSS 7.5); otherwise it may be Medium (CVSS 5.3). ### Resolution The implementation has been updated to correctly locate the first slash after "://", preventing such path confusion.

### Impact It was not clear that it is not possible to change `min_signers` (i.e. the threshold) with the refresh share functionality (`frost_core::keys::refresh` module). Using a smaller value would not decrease the threshold, and attempts to sign using a smaller threshold would fail. Additionally, after refreshing the shares with a smaller threshold, it would still be possible to sign with the original threshold; however, this could cause a security loss to the participant's shares. We have not determined the exact security implications of doing so and judged simpler to just validate `min_signers`. If for some reason you have done a refresh share procedure with a smaller `min_signers` we strongly recommend migrating to a new key. ### Patches Updating to 2.2.0 will ensure that the `min_signers` parameter will be validated. However it won't restore the security of groups refreshed with a smaller `min_signers` parameters. ### Workarounds You don't need to update if you don't us...