Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the process that parses WWW-Authenticate challenges from an upstream registry. An attacker can obtain upstream credentials by manipulating the bearer realm URL to redirect authentication requests to a...

CVE-2025-6433

If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors". This...