#rce

Microsoft today pushed updates to fix at least 56 security flaws in its Windows operating systems and supported software. This final Patch Tuesday of 2025 tackles one zero-day bug that is already being exploited, as well as two publicly disclosed vulnerabilities.

### Impact `MySQLSelectTool` is intended to be a read-only SQL tool (e.g., for LLM agent querying). However, validation based on the first keyword (e.g., `SELECT`) and a forbidden-keyword list does not block file-writing constructs such as `INTO OUTFILE` / `INTO DUMPFILE`. As a result, an attacker who can influence the tool input (e.g., prompt injection through a public agent endpoint) may be able to write arbitrary content to files on the DB server. If the MySQL/MariaDB account has the `FILE` privilege and server configuration permits writes to a useful location (e.g., a web-accessible directory), the impact can escalate to remote code execution on the application host (for example, by writing a PHP web shell). **Who is impacted:** Deployments that expose an agent using `MySQLSelectTool` to untrusted input and run with overly-permissive DB privileges/configuration. ### Patches **Not patched in:** 2.8.11 **Fixed in:** 2.8.12 Recommended fix direction: - Explicitly reject q...

### Summary Siyuan is vulnerable to RCE. The issue stems from a "Zip Slip" vulnerability during zip file extraction, combined with the ability to overwrite system executables and subsequently trigger their execution. ### Steps to reproduce 1. Authenticate 2. Create zip slip payload with path traversal entry `../../../../opt/siyuan/startup.sh`. startup.sh contains malicious code like: ```bash #!/bin/sh echo 'you have been pwned' > /siyuan/workspace/data/pwned.txt echo "pandoc 3.1.0" ``` 3. Upload zip to workspace via `/api/file/putFile` 4. Extract zip via `/api/archive/unzip`, overwrites the existing executable `startup.sh` while maintaining the +x permission 5. Trigger execution by calling `/api/setting/setExport` with `pandocBin=/opt/siyuan/startup.sh`. This calls `IsValidPandocBin()` which executes `startup.sh --version` that outputs "pandoc 3.1.0" and executes any arbitrary malicious code

### Summary Function [**importZipMd**](https://github.com/siyuan-note/siyuan/blob/dae6158860cc704e353454565c96e874278c6f47/kernel/api/import.go#L190) is vulnerable to **ZipSlip** which allows an authenticated user to overwrite files on the system. ### Details An authenticated user with access to the import functionality in notes is able to overwrite any file on the system, the vulnerable function is [**importZipMd**](https://github.com/siyuan-note/siyuan/blob/dae6158860cc704e353454565c96e874278c6f47/kernel/api/import.go#L190), this can escalate to full code execution under some circumstances, for example using the official **docker image** it is possible to overwrite **entrypoint.sh** and after a container restart it will execute the changed code causing remote code execution. ### PoC Code used to generate the ZipSlip: ```python #!/usr/bin/env python3 import sys, base64, zipfile, io, time def prepare_zipslip(filename): orgfile1 = open('Test.md','rb').read() payload = open(...

### Summary The patch deployed against CVE-2025-62156 is ineffective against malicious archives containing symbolic links. ### Details The untar code that handles symbolic links in archives is unsafe. Concretely, the computation of the link's target and the subsequent check are flawed: https://github.com/argoproj/argo-workflows/blob/5291e0b01f94ba864f96f795bb500f2cfc5ad799/workflow/executor/executor.go#L1034-L1037 ### PoC 1. Create a malicious archive containing two files: a symbolik link with path "./work/foo" and target "/etc", and a normal text file with path "./work/foo/hostname". 2. Deploy a workflow like the one in https://github.com/argoproj/argo-workflows/security/advisories/GHSA-p84v-gxvw-73pf with the malicious archive mounted at /work/tmp. 3. Submit the workflow and wait for its execution. 4. Connect to the corresponding pod and observe that the file "/etc/hostname" was altered by the untar operation performed on the malicious archive. The attacker can hence alter arbitr...

Arbitrary code execution from cookie config. If dynamic cookies are enabled (ie there exists a schema for cookies), the cookie config is injected into the compiled route without first being sanitised. Availability of this exploit is generally low, as it requires write access to either the Elysia app's source code (in which case the vulnerability is meaningless) or write access to the cookie config (perhaps where it is assumed to be provisioned by the environment). However when combined with GHSA-hxj9-33pp-j2cc, this vulnerability allows for a full RCE chain. ### Impact - aot enabled (default) - cookie schema passed to route - Cookie config controllable eg. via env Example of vulnerable code ```js new Elysia({ cookie: { secrets: `' + console.log('pwned from secrets') + '` }, }) .get("/", () => "hello world", { cookie: t.Cookie({ foo: t.Any(), }), }) ``` POC: https://github.com/sportshead/elysia-poc ### Patches Patched by 1.4.17 (https://github.com/elysiajs/elysia/pul...

Prototype pollution vulnerability in `mergeDeep` after merging results of two standard schema validations with the same key. Due to the ordering of merging, there must be an `any` type that is set as a `standalone` guard, to allow for the `__proto__` prop to be merged. When combined with GHSA-8vch-m3f4-q8jf this allows for a full RCE by an attacker. ### Impact Routes with more than 2 standalone schema validation, eg. zod Example vulnerable code: ```typescript import { Elysia } from "elysia" import * as z from "zod" const app = new Elysia() .guard({ schema: "standalone", body: z.object({ data: z.any() }) }) .post("/", ({ body }) => ({ body, win: {}.foo }), { body: z.object({ data: z.object({ messageId: z.string("pollute-me"), }) }) }) ``` ### Patches Patched by 1.4.17 (https://github.com/elysiajs/elysia/pull/1564) Reference commit: - https://github.com/elysiajs/elysia/pull/1564/commits/26935bf76ebc43b4a43d48b173fc853de43bb51e - https://github.com/elysiaj...

Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network.

Improper neutralization of special elements used in a command ('command injection') in Windows PowerShell allows an unauthorized attacker to execute code locally.

Improper neutralization of special elements used in a command ('command injection') in Copilot allows an unauthorized attacker to execute code locally.