Security
Headlines
HeadlinesLatestCVEs

Tag

#rce

GHSA-gqfv-g4v7-m366: SiYuan: ZipSlip -> Arbitrary File Overwrite -> RCE

### Summary Function [**importZipMd**](https://github.com/siyuan-note/siyuan/blob/dae6158860cc704e353454565c96e874278c6f47/kernel/api/import.go#L190) is vulnerable to **ZipSlip** which allows an authenticated user to overwrite files on the system. ### Details An authenticated user with access to the import functionality in notes is able to overwrite any file on the system, the vulnerable function is [**importZipMd**](https://github.com/siyuan-note/siyuan/blob/dae6158860cc704e353454565c96e874278c6f47/kernel/api/import.go#L190), this can escalate to full code execution under some circumstances, for example using the official **docker image** it is possible to overwrite **entrypoint.sh** and after a container restart it will execute the changed code causing remote code execution. ### PoC Code used to generate the ZipSlip: ```python #!/usr/bin/env python3 import sys, base64, zipfile, io, time def prepare_zipslip(filename): orgfile1 = open('Test.md','rb').read() payload = open(...

ghsa
Open in Source
#git#rce#auth#docker
GHSA-xrqc-7xgx-c9vh: RCE via ZipSlip and symbolic links in argoproj/argo-workflows

### Summary The patch deployed against CVE-2025-62156 is ineffective against malicious archives containing symbolic links. ### Details The untar code that handles symbolic links in archives is unsafe. Concretely, the computation of the link's target and the subsequent check are flawed: https://github.com/argoproj/argo-workflows/blob/5291e0b01f94ba864f96f795bb500f2cfc5ad799/workflow/executor/executor.go#L1034-L1037 ### PoC 1. Create a malicious archive containing two files: a symbolik link with path "./work/foo" and target "/etc", and a normal text file with path "./work/foo/hostname". 2. Deploy a workflow like the one in https://github.com/argoproj/argo-workflows/security/advisories/GHSA-p84v-gxvw-73pf with the malicious archive mounted at /work/tmp. 3. Submit the workflow and wait for its execution. 4. Connect to the corresponding pod and observe that the file "/etc/hostname" was altered by the untar operation performed on the malicious archive. The attacker can hence alter arbitr...

GHSA-8vch-m3f4-q8jf: Elysia affected by arbitrary code injection through cookie config

Arbitrary code execution from cookie config. If dynamic cookies are enabled (ie there exists a schema for cookies), the cookie config is injected into the compiled route without first being sanitised. Availability of this exploit is generally low, as it requires write access to either the Elysia app's source code (in which case the vulnerability is meaningless) or write access to the cookie config (perhaps where it is assumed to be provisioned by the environment). However when combined with GHSA-hxj9-33pp-j2cc, this vulnerability allows for a full RCE chain. ### Impact - aot enabled (default) - cookie schema passed to route - Cookie config controllable eg. via env Example of vulnerable code ```js new Elysia({ cookie: { secrets: `' + console.log('pwned from secrets') + '` }, }) .get("/", () => "hello world", { cookie: t.Cookie({ foo: t.Any(), }), }) ``` POC: https://github.com/sportshead/elysia-poc ### Patches Patched by 1.4.17 (https://github.com/elysiajs/elysia/pul...

GHSA-hxj9-33pp-j2cc: Elysia vulnerable to prototype pollution with multiple standalone schema validation

Prototype pollution vulnerability in `mergeDeep` after merging results of two standard schema validations with the same key. Due to the ordering of merging, there must be an `any` type that is set as a `standalone` guard, to allow for the `__proto__` prop to be merged. When combined with GHSA-8vch-m3f4-q8jf this allows for a full RCE by an attacker. ### Impact Routes with more than 2 standalone schema validation, eg. zod Example vulnerable code: ```typescript import { Elysia } from "elysia" import * as z from "zod" const app = new Elysia() .guard({ schema: "standalone", body: z.object({ data: z.any() }) }) .post("/", ({ body }) => ({ body, win: {}.foo }), { body: z.object({ data: z.object({ messageId: z.string("pollute-me"), }) }) }) ``` ### Patches Patched by 1.4.17 (https://github.com/elysiajs/elysia/pull/1564) Reference commit: - https://github.com/elysiajs/elysia/pull/1564/commits/26935bf76ebc43b4a43d48b173fc853de43bb51e - https://github.com/elysiaj...

CVE-2025-54100: PowerShell Remote Code Execution Vulnerability

Improper neutralization of special elements used in a command ('command injection') in Windows PowerShell allows an unauthorized attacker to execute code locally.

CVE-2025-64671: GitHub Copilot for Jetbrains Remote Code Execution Vulnerability

Improper neutralization of special elements used in a command ('command injection') in Copilot allows an unauthorized attacker to execute code locally.