#js

Name: ISA-2025-001: Non-deterministic JSON Unmarshalling of IBC Acknowledgement can result in a chain halt Component: IBC-Go Criticality: High (Considerable Impact; Likely Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md)) Affected versions: IBC-Go >= v7; Earlier IBC-Go versions MAY also be affected. Affected users: Validators, Full nodes, IBC Middleware authors ### Description An issue was discovered in IBC-Go's deserialization of acknowledgements that results in non-deterministic behavior which can halt a chain. Any user that can open an IBC channel can introduce this state to the chain. The following patch is in addition to the previous patch which now extends the same protection to all applications beyond transfer. ### Patches The new IBC-Go releases below address this issue: * [v7.10.0](https://github.com/cosmos/ibc-go/releases/tag/v7.10.0) * [v8.7.0](https://github.com/cosmos/ibc-go/releases/tag/v8.7.0) ### Worka...

# Summary Loading a malicious schema definition in `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`) can result in remote code execution. Any system which loads a schema by JSON from an untrusted source is vulnerable, including those that use [GraphQL::Client](https://github.com/github-community-projects/graphql-client) to load external schemas via GraphQL introspection.

### Impact A specially crafted document could cause an out of bound read, most likely resulting in a crash. Versions 2.10.0 and 2.10.1 are impacted. Older versions are not. ### Patches Version 2.10.2 fixes the problem. ### Workarounds None.

Lazarus Group targets developers with malicious npm packages, stealing credentials, crypto, and installing backdoor. Stay alert to protect your projects.

# Description [An issue was discovered in IBC-Go's deserialization of acknowledgements](https://github.com/cosmos/ibc-go/security/advisories/GHSA-jg6f-48ff-5xrw) that results in non-deterministic behavior which can halt a chain. Any user that can open an IBC channel can introduce this state to the chain. This an upstream dependency used in cheqd-node, rather than a custom module. ## Impact Could result in a chain halt. ## Patches Validators, full nodes, and IBC relayers should upgrade to **[cheqd-node v3.1.7](https://github.com/cheqd/cheqd-node/releases/tag/v3.1.7)**. This upgrade does not require a software upgrade proposal on-chain and is meant to be non state-breaking. ## References See [ASA-2025-004: Non-deterministic JSON Unmarshalling of IBC Acknowledgement can result in a chain halt](https://github.com/cosmos/ibc-go/security/advisories/GHSA-jg6f-48ff-5xrw) upstream on IBC-Go.

### Impact When using Babel to compile [regular expression named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group), Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to `.replace`). Your generated code is vulnerable if _all_ the following conditions are true: - You use Babel to compile [regular expression named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group) or - You use the `.replace` method on a regular expression that contains named capturing groups - **Your code uses untrusted strings as the second argument of `.replace`** If you are using `@babel/preset-env` with the [`targets`](https://babeljs.io/docs/options#targets) option, the transform that injects the vulnerable code is automatically enabled if: - you use...

### Impact The Keras `Model.load_model` function permits arbitrary code execution, even with `safe_mode=True`, through a manually constructed, malicious `.keras` archive. By altering the `config.json` file within the archive, an attacker can specify arbitrary Python modules and functions, along with their arguments, to be loaded and executed during model loading. ### Patches This problem is fixed starting with version `3.9`. ### Workarounds Only load models from trusted sources and model archives created with Keras. ### References - https://www.cve.org/cverecord?id=CVE-2025-1550 - https://github.com/keras-team/keras/pull/20751

# Microsoft Security Advisory CVE-2025-24070: .NET Elevation of Privilege Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 9.0 , ASP.NET Core 8.0, and ASP.NET Core 2.3. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability. A vulnerability exists in ASP.NET Core applications calling RefreshSignInAsync with an improperly authenticated user parameter that could allow an attacker to sign into another user's account, resulting in Elevation of Privilege. ## Announcement Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/348 ### <a name="mitigation-factors"></a>Mitigation factors Microsoft has not identified any mitigating factors for this vulnerability. ## <a name="affected-software"></a>Affected software * Any ASP.NET Core 9.0 application running on AS...

### Summary There's a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message. I believe that it exists for v4 only. I have not yet developed a PoC. V5 is well designed and instead builds the signed query from the same message that will be consumed. ### Details #### What is verified The data['SignedQuery'] is the string that will be verified by the public key. It is defined here: https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L178-L217 THe code will iterate through each parameter name. Notably, sigQuery is overridden each time when processing, making the last of SAMLRequest/SAMLResponse used for sigQuery. For example, given: SAMLRequest=a&SAMLResponse=idpsigned SAMLResponse=idpsigned will be set as sigQuery, then later verified #### What is actually processed Processing uses SAMLReques...

### Summary A mock API configuration for static file serving following the same approach presented in the [documentation page](https://mockoon.com/tutorials/create-endpoint-serving-static-file/), where the server filename is generated via templating features from user input is vulnerable to Path Traversal and LFI, allowing an attacker to get any file in the mock server filesystem. The issue may be particularly relevant in cloud hosted server instances ### Details In `sendFileWithCallback`([code](https://github.com/mockoon/mockoon/blob/1ed31c4059d7f757f6cb2a43e10dc81b0d9c55a9/packages/commons-server/src/libs/server/server.ts#L1400)) and `sendFile`([code](https://github.com/mockoon/mockoon/blob/1ed31c4059d7f757f6cb2a43e10dc81b0d9c55a9/packages/commons-server/src/libs/server/server.ts#L1551)) the `filePath` variable is parsed using `TemplateParser` ```js let filePath = TemplateParser({ shouldOmitDataHelper: false, // replace backslashes with forward slashes, but not if f...