#vulnerability

tricia, queen of house cyberly :verified_paw: :donor:'s avatar
tricia, queen of house cyberly :verified_paw: :donor:

@[email protected]

Features aren't always innocent 😉

In the most recent publication by Akamai Technologies' Security Intelligence Group, Tomer Peled found yet -a n o t h e r- vuln in K8s. this time in Log Query, and it can do some big bad.

Did you know that out of the 12 vulns found in Kubernetes since 2023, Tomer has found 4 of them?!?!? i work with the coolest people

anyway, couldn't resist a britney parody sooooooo

akamai.com/blog/security-resea

tricia, queen of house cyberly :verified_paw: :donor:'s avatar
tricia, queen of house cyberly :verified_paw: :donor:

@[email protected]

Features aren't always innocent 😉

In the most recent publication by Akamai Technologies' Security Intelligence Group, Tomer Peled found yet -a n o t h e r- vuln in K8s. this time in Log Query, and it can do some big bad.

Did you know that out of the 12 vulns found in Kubernetes since 2023, Tomer has found 4 of them?!?!? i work with the coolest people

anyway, couldn't resist a britney parody sooooooo

akamai.com/blog/security-resea

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@[email protected]

We have released updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a in 's implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

  • Perform denial of service attacks through infinite redirect loops
  • Execute server-side request forgery () attacks via redirects to private network addresses
  • Access unintended URL schemes through redirect manipulation

Fixed Versions

  • 1.3.x series: Update to 1.3.4
  • 1.2.x series: Update to 1.2.11
  • 1.1.x series: Update to 1.1.11
  • 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

  1. Added a maximum redirect limit (5) to prevent infinite redirect loops
  2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
  3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.


If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@[email protected]

We have released updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a in 's implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

  • Perform denial of service attacks through infinite redirect loops
  • Execute server-side request forgery () attacks via redirects to private network addresses
  • Access unintended URL schemes through redirect manipulation

Fixed Versions

  • 1.3.x series: Update to 1.3.4
  • 1.2.x series: Update to 1.2.11
  • 1.1.x series: Update to 1.1.11
  • 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

  1. Added a maximum redirect limit (5) to prevent infinite redirect loops
  2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
  3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.


If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@[email protected]

We have released updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a in 's implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

  • Perform denial of service attacks through infinite redirect loops
  • Execute server-side request forgery () attacks via redirects to private network addresses
  • Access unintended URL schemes through redirect manipulation

Fixed Versions

  • 1.3.x series: Update to 1.3.4
  • 1.2.x series: Update to 1.2.11
  • 1.1.x series: Update to 1.1.11
  • 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

  1. Added a maximum redirect limit (5) to prevent infinite redirect loops
  2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
  3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.


If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@[email protected]

We have released updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a in 's implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

  • Perform denial of service attacks through infinite redirect loops
  • Execute server-side request forgery () attacks via redirects to private network addresses
  • Access unintended URL schemes through redirect manipulation

Fixed Versions

  • 1.3.x series: Update to 1.3.4
  • 1.2.x series: Update to 1.2.11
  • 1.1.x series: Update to 1.1.11
  • 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

  1. Added a maximum redirect limit (5) to prevent infinite redirect loops
  2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
  3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.


If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@[email protected]

We have released updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a in 's implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

  • Perform denial of service attacks through infinite redirect loops
  • Execute server-side request forgery () attacks via redirects to private network addresses
  • Access unintended URL schemes through redirect manipulation

Fixed Versions

  • 1.3.x series: Update to 1.3.4
  • 1.2.x series: Update to 1.2.11
  • 1.1.x series: Update to 1.1.11
  • 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

  1. Added a maximum redirect limit (5) to prevent infinite redirect loops
  2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
  3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.


If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@[email protected]

We have released updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a in 's implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

  • Perform denial of service attacks through infinite redirect loops
  • Execute server-side request forgery () attacks via redirects to private network addresses
  • Access unintended URL schemes through redirect manipulation

Fixed Versions

  • 1.3.x series: Update to 1.3.4
  • 1.2.x series: Update to 1.2.11
  • 1.1.x series: Update to 1.1.11
  • 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

  1. Added a maximum redirect limit (5) to prevent infinite redirect loops
  2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
  3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.


If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@[email protected]

We have released updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a in 's implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

  • Perform denial of service attacks through infinite redirect loops
  • Execute server-side request forgery () attacks via redirects to private network addresses
  • Access unintended URL schemes through redirect manipulation

Fixed Versions

  • 1.3.x series: Update to 1.3.4
  • 1.2.x series: Update to 1.2.11
  • 1.1.x series: Update to 1.1.11
  • 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

  1. Added a maximum redirect limit (5) to prevent infinite redirect loops
  2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
  3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.


If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@[email protected]

We have released updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a in 's implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

  • Perform denial of service attacks through infinite redirect loops
  • Execute server-side request forgery () attacks via redirects to private network addresses
  • Access unintended URL schemes through redirect manipulation

Fixed Versions

  • 1.3.x series: Update to 1.3.4
  • 1.2.x series: Update to 1.2.11
  • 1.1.x series: Update to 1.1.11
  • 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

  1. Added a maximum redirect limit (5) to prevent infinite redirect loops
  2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
  3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.


If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Tod Beardsley 🤘's avatar
Tod Beardsley 🤘

@[email protected]

Get a for Xmas. (Arrived early)

25 minutes after setting up

Find a security in the customer login.

why am I like this

(it's lame but it's deffo a finding)

Guess I'll report this after the Xmas rush. Not sure if CVE-able or just kinda lame design.

sigh

Syft's avatar
Syft

@[email protected]

A very sincere thank you to all the contributors to our open-source projects.
Your work makes a difference every day. 🙏
youtube.com/watch?v=0ciqJxJYZC

thereisnoanderson

@[email protected]

NEW - ⛸️🧱🖥️ DCG /etc/hosts available - last updated 2024/12/20

1544291 - Domains blocked with that build ! 🦜

🐻
Supercharging your content blocker to increase privacy and security.

Ready to use lists combined from many permissively licensed sources.

divested.dev/pages/dnsbl

@divested @DivestedComputingGroup


Harry Sintonen's avatar
Harry Sintonen

@[email protected]

Apparently has rated as v3 Base Score 9.1 "critical". This is wrong, and will lead to automation triggering unnecessary warnings and blocking use of perfectly fine systems until an update is installed (which can take months). nvd.nist.gov/vuln/detail/CVE-2

Edit: In case you wonder my credentials for judging this: I found this vulnerability.

Edit2: This appears to be originating from CISA: cve.org/Media/News/item/blog/2

Edit3: The score has now been fixed. Commit: github.com/cisagov/vulnrichmen

thereisnoanderson

@[email protected]

NEW - 💾🖥️🔩⚙️ DCG real-ucode - 2024-12-14 - 1

🐻

New intel-ucode with that one ! Lets goo 🧑‍🦽🏃‍♂️👨‍🦯👩‍🦯👩‍🦽🏃‍♀️

github.com/divestedcg/real-uco

@divested


Olivier Forget's avatar
Olivier Forget

@[email protected]

FYI flags that crypto in your project even if you aren't affected. It checks if you import the package, not if you actually use the affected functions. govulncheck does it correctly.

Lucky for me that means I don't have to change anything in my project.

Thanks to @filippo

Github dependabot page for project Dropserver for "Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto" CVE-2024-45337
ALT text detailsGithub dependabot page for project Dropserver for "Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto" CVE-2024-45337
Verbose output of govulncheck on same Dropserver project showing that it is not affected by the vulnerability because we don't appear to call affect methods. Full text:

"DropServer git:(tailscale-1) ✗ govulncheck -show verbose ./...
Scanning your code and 643 packages across 83 dependent modules for known vulnerabilities...

Fetching vulnerabilities from the database...

Checking the code against the vulnerabilities...

=== Symbol Results ===

No vulnerabilities found.

=== Package Results ===

No other vulnerabilities found.

=== Module Results ===

Vulnerability #1: GO-2024-3321
    Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in
    golang.org/x/crypto
  More info: https://pkg.go.dev/vuln/GO-2024-3321
  Module: golang.org/x/crypto
    Found in: golang.org/x/crypto@v0.29.0
    Fixed in: golang.org/x/crypto@v0.31.0

Your code is affected by 0 vulnerabilities.
This scan also found 0 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.
ALT text detailsVerbose output of govulncheck on same Dropserver project showing that it is not affected by the vulnerability because we don't appear to call affect methods. Full text: "DropServer git:(tailscale-1) ✗ govulncheck -show verbose ./... Scanning your code and 643 packages across 83 dependent modules for known vulnerabilities... Fetching vulnerabilities from the database... Checking the code against the vulnerabilities... === Symbol Results === No vulnerabilities found. === Package Results === No other vulnerabilities found. === Module Results === Vulnerability #1: GO-2024-3321 Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto More info: https://pkg.go.dev/vuln/GO-2024-3321 Module: golang.org/x/crypto Found in: golang.org/x/[email protected] Fixed in: golang.org/x/[email protected] Your code is affected by 0 vulnerabilities. This scan also found 0 vulnerabilities in packages you import and 1 vulnerability in modules you require, but your code doesn't appear to call these vulnerabilities.
BeyondMachines :verified:'s avatar
BeyondMachines :verified:

@[email protected]

Chrome releases new version patching critical issues

beyondmachines.net/event_detai

Jason Parker (he/they)'s avatar
Jason Parker (he/they)

@north@ꩰ.com

told me on that this isn't a security , so cool, I'll talk about it publicly.

You can disable 2FA¹ on another person's account if you get access to their phone momentarily.

All you have to do is create a new account and put their phone number in as the login; if you verify the code, it strips it from the other account with no warning, and they can't take it back.

So have fun I guess?

¹ SMS is not

circl's avatar
circl

@[email protected]

OpenBSD crond / crontab set_range() heap underflow - CVE-2024-43688

supernetworks.org/CVE-2024-436

vulnerability.circl.lu/cve/CVE

Sam Stepanyan :verified: 🐘's avatar
Sam Stepanyan :verified: 🐘

@[email protected]

: if you are using SSH on you need to patch it immediately! Critical CVE-2024-7589 allows attackers to execute remote code without authentication:
👇
thehackernews.com/2024/08/free

Gonéri's avatar
Gonéri

@[email protected]

- with a background in space and aeronautics, I have been working on remote sensing and geosciences, including at BRGM (🇨🇵geological survey) since 2006.
My main research focus since 2007 are and climate change, especially sea-level rise impacts on flooding and erosion.
I am one of the lead authors if the 6th assessment report of the /WGII on , and , chapters Europe, Mediterranean region and sea-level rise cross-chapter box.

Soatok Dreamseeker's avatar
Soatok Dreamseeker

@[email protected] · Reply to Soatok Dreamseeker's post

So, like...

OMEMO v0.3 has a pretty fucking obvious issue similar to what I found in Threema.

You're forced to use AES-GCM in a way that makes Invisible Salamanders a trivial exploit to pull off.

github.com/soatok/gcm-exploit

I'm not going to bother with an embargo for this. This specific protocol and design problem is not present in newer versions of their spec.

Conversations is impacted.
Gajim is impacted.
Et cetera.

> Is this 0day?

Probably not to the spec authors, but to the implementation developers? Maybe.

This is why you don't roll your own crypto.

Also, Conversations uses Java's Base64 class to decode private keys, which is susceptible to cache-timing attacks: codeberg.org/iNPUTmice/Convers

See this paper: arxiv.org/abs/2108.04600

That one is *definitely* a 0day.

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@[email protected]

We released 0.9.2, 0.10.1, and 0.11.1, which patched the last reported , CVE-2024-39687, but the vulnerability of SSRF attacks via DNS rebinding still exists, so we released Fedify 0.9.3, 0.10.2, and 0.11.2, which fixes it.

If you are using an earlier version, please update as soon as possible.

Thanks to @benaryorg for reporting the vulnerability!

Hollo :hollo:'s avatar
Hollo :hollo:

@[email protected]

To users: please update your to 0.1.0-dev.46, a patch which addresses @fedify's CVE-2024-39687, as soon as possible!

https://hollo.social/@fedify/019080c7-c784-755d-a6f2-d1f91f2c5709