Security
Headlines
HeadlinesLatestCVEs

Tag

#oauth

GHSA-837q-jhwx-cmpv: Parse Server has an OAuth login vulnerability

### Impact The 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse Server apps. For example, if a user signed up using the same authentication provider in two unrelated Parse Server apps, the credentials stored by one app can be used to authenticate the same user in the other app. Note that this only affects Parse Server apps that specifically use an affected 3rd party authentication provider for user authentication, for example by setting the Parse Server option `auth` to configure a Parse Server authentication adapter. See the [3rd party authentication docs](https://docs.parseplatform.org/parse-server/guide/#oauth-and-3rd-party-authentication) for more information on which authentication providers are affected. ### Patches The fix of this vulnerability requires to upgrade Parse Server to a version that includes the bug fix, as well as upgrade the client app to send a secu...

ghsa
Open in Source
#vulnerability#git#oauth#auth
GHSA-pwhh-q4h6-w599: Spotipy's cache file, containing spotify auth token, is created with overly broad permissions

### Summary The `CacheHandler` class creates a cache file to store the auth token here: https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cache_handler.py#L93-L98 The file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. I think `600` is a sensible default. ![image](https://github.com/user-attachments/assets/0b7ebbc1-a27a-4528-ab6a-135c7886766a) ### Details This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. ### PoC Run an application that uses spotipy with client creation like this: ```python from pathlib import Path import spotipy from os import getenv def create_spotify_client(client_id: str, client_secret: str) -> spotipy.Spotify: """Create and return an auth...

GHSA-c6gw-w398-hv78: DoS in go-jose Parsing

### Impact When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of '.' characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. ### Patches Version 4.0.5 fixes this issue ### Workarounds Applications could pre-validate payloads passed to go-jose do not contain an excessive number of '.' characters. ### References This is the same sort of issue as in the golang.org/x/oauth2/jws package as CVE-2025-22868 and Go issue https://go.dev/issue/71490.

GHSA-hjpm-7mrm-26w8: Beter Auth has an Open Redirect via Scheme-Less Callback Parameter

### Summary The application is vulnerable to an open redirect due to improper validation of the callbackURL parameter in the email verification endpoint and any other endpoint that accepts callback url. While the server blocks fully qualified URLs (e.g., https://evil.com), it incorrectly allows scheme-less URLs (e.g., //malicious-site.com). This results in the browser interpreting the URL as https://malicious-site.com, leading to unintended redirection. bypass for : https://github.com/better-auth/better-auth/security/advisories/GHSA-8jhw-6pjj-8723 ### Affected Versions All versions prior to 1.1.19 ### Details The application’s email verification endpoint (/auth/verify-email) accepts a callbackURL parameter intended to redirect users after successful email verification. While the server correctly blocks fully qualified external URLs (e.g., https://evil.com), it improperly allows scheme-less URLs (e.g., //malicious-site.com). This issue occurs because browsers interpret //malicious-si...

North Korea's Kimsuky Taps Trusted Platforms to Attack South Korea

The campaign heavily uses Dropbox folders and PowerShell scripts to evade detection and quickly scrapped infrastructure components after researchers began poking around.

DeepSeek Jailbreak Reveals Its Entire System Prompt

Now we know exactly how DeepSeek was designed to work, and we may even have a clue toward its highly publicized scandal with OpenAI.

DeepSeek AI Leaks Over a Million Chat Logs and Sensitive Data Online

DeepSeek, a Chinese AI startup, exposed sensitive data by leaving a database open. Wiz Research found chat logs, keys, and backend details accessible.