#java

Google on Wednesday released security updates for the Chrome web browser to address four vulnerabilities, including one that it said has been exploited in the wild. The zero-day vulnerability in question is CVE-2025-10585, which has been described as a type confusion issue in the V8 JavaScript and WebAssembly engine. Type confusion vulnerabilities can have severe consequences as they can be

### Summary A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met. ### Technical Details The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized `__nuxt_island` objects. The issue affects the following flow: 1. During prerendering, if an API endpoint returns user-controlled data containing a crafted `__nuxt_island` object 2. This data gets serialized with `devalue.stringify` and stored in the prerendered page 3. When a client navigates to the prerendered page, `devalue.parse` deserializes the payload 4. The Island reviver attempts to fetch `/__nuxt_island/${key}.json` where `key` could contain path traversal sequences ### Prerequisites for Exploitation This vulnerability requires **a...

### Summary jinjava’s current sandbox restrictions prevent direct access to dangerous methods such as `getClass()`, and block instantiation of Class objects. However, these protections can be bypassed. By using mapper.getTypeFactory().constructFromCanonical(), it is possible to instruct the underlying ObjectMapper to deserialize attacker-controlled input into arbitrary classes. This enables the creation of semi-arbitrary class instances without directly invoking restricted methods or class literals. As a result, an attacker can escape the sandbox and instantiate classes such as java.net.URL, opening up the ability to access local files and URLs(e.g., file:///etc/passwd). With further chaining, this primitive can potentially lead to remote code execution (RCE). ### Details jinjava templates expose a built-in variable `____int3rpr3t3r____`, which provides direct access to the jinjavaInterpreter instance. This variable was previously abused (see [Add interpreter to blacklist](https:/...

The threat actor known as TA558 has been attributed to a fresh set of attacks delivering various remote access trojans (RATs) like Venom RAT to breach hotels in Brazil and Spanish-speaking markets. Russian cybersecurity vendor Kaspersky is tracking the activity, observed in summer 2025, to a cluster it tracks as RevengeHotels. "The threat actors continue to employ phishing emails with invoice

In Jenkins 2.527 and earlier, LTS 2.516.2 and earlier, the log formatter that prepares log messages for console output (including `jenkins.log` and equivalent) does not restrict or transform the characters that can be inserted from user-specified content in log messages. This allows attackers able to control log message contents to insert line break characters, followed by forged log messages that may mislead administrators reviewing log output. Jenkins 2.528, LTS 2.516.3 adds an indicator at the beginning of a line that was inserted as part of log message content: `[CR]`, `[LF]`, or `[CRLF]` (representing the kind of line break), followed by `>` .

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu. This allows attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options in this menu (e.g., whether Credentials Plugin is installed). Jenkins 2.528, LTS 2.516.3 requires Overall/Read permission to list various items in authenticated user profile dropdown menus.

ReversingLabs discovers “Shai-hulud,” a self-replicating computer worm on the npm open-source registry. Learn how the malware steals developer…

### Impact A timing attack vulnerability exists in the SCRAM Java implementation. The issue arises because `Arrays.equals` was used to compare secret values such as client proofs and server signatures. Since `Arrays.equals` performs a short-circuit comparison, the execution time varies depending on how many leading bytes match. This behavior could allow an attacker to perform a timing side-channel attack and potentially infer sensitive authentication material. All users relying on SCRAM authentication are impacted. ### Patches This vulnerability has been patched by replacing `Arrays.equals` with `MessageDigest.isEqual`, which ensures constant-time comparison. Users should upgrade to version **3.2** or later to mitigate this issue. ### Workarounds Because the attack requires high precision and repeated attempts, the risk is limited, but the only reliable mitigation is to upgrade to a patched release (version 3.2 or later). ### References - [Java `MessageDigest.isEqual` Documenta...

Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. An application should be considered vulnerable when all the following are true: * The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable). * Spring Boot actuator is a dependency. * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway. * The actuator endpoints are available to attackers. * The actuator endpoints are unsecured.

At least 187 code packages made available through the JavaScript repository NPM have been infected with a self-replicating worm that steals credentials from developers and publishes those secrets on GitHub, experts warn. The malware, which briefly infected multiple code packages from the security vendor CrowdStrike, steals and publishes even more credentials every time an infected package is installed.