Critical RCE Vulnerabilities in React and Next.js
https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
#HackerNews #CriticalRCE #Vulnerabilities #React #Nextjs #Cybersecurity #Vulnerabilities #CVE-2025-55182
nullagent
boosted
Moving Beyond the NPM elliptic Package
If you're in a hurry, head on over to soatok/elliptic-to-noble and follow the instructions in the README in order to remove the elliptic package from your project and all dependencies in node_modules. Art: CMYKat Why replace the elliptic package? Yesterday, the Trail of Bits blog published a post about finding cryptographic bugs in the elliptic library (a Javascript package on NPM) by using the Wycheproof.
http://soatok.blog/2025/11/19/moving-beyond-the-npm-elliptic-package/
#npm #crypto #cryptography #elliptic #security #infosec #cve #mitigation #appsec #javascript #js #npm #npmsecurity #npmpackages
Moving Beyond the NPM elliptic Package
If you're in a hurry, head on over to soatok/elliptic-to-noble and follow the instructions in the README in order to remove the elliptic package from your project and all dependencies in node_modules. Art: CMYKat Why replace the elliptic package? Yesterday, the Trail of Bits blog published a post about finding cryptographic bugs in the elliptic library (a Javascript package on NPM) by using the Wycheproof.
http://soatok.blog/2025/11/19/moving-beyond-the-npm-elliptic-package/
#npm #crypto #cryptography #elliptic #security #infosec #cve #mitigation #appsec #javascript #js #npm #npmsecurity #npmpackages
pvergain (framapiaf)
boosted
Django Software Foundation is now a CVE Numbering Authority (CNA) assigning CVE IDs for only supported and end-of-life Django versions available at https://www.djangoproject.com/download/ and projects listed at https://github.com/django (such as Django, channels, and daphne), excluding distributions maintained by third-party redistributors.
cve.org/Media/News/item/news/2025/10/28/Django-Added-as-CNA
#CVE #CNA #Vulnerability #VulnerabilityManagement #Cybersecurity
Django Software Foundation is now a CVE Numbering Authority (CNA) assigning CVE IDs for only supported and end-of-life Django versions available at https://www.djangoproject.com/download/ and projects listed at https://github.com/django (such as Django, channels, and daphne), excluding distributions maintained by third-party redistributors.
cve.org/Media/News/item/news/2025/10/28/Django-Added-as-CNA
#CVE #CNA #Vulnerability #VulnerabilityManagement #Cybersecurity
Understanding the Worst .NET Vulnerability
#HackerNews #Understanding #.NET #Vulnerability #Request #Smuggling #CVE-2025-55315 #Cybersecurity
Are these real CVEs? VulDB entries for dnsmasq rely on replacing config files
https://seclists.org/oss-sec/2025/q4/79
#HackerNews #CVE #Vulnerabilities #dnsmasq #VulDB #SecurityIssues #ConfigFiles
just small circles 🕊
boosted
"Security" category
Just a thought as I work through some bugs reported to NodeBB... would there be interest in ActivityPub.space hosting a "security" category for discussion around vulnerabilities, CVEs, and such that are related to ActivityPub?
For example, if NodeBB were to receive a bug bounty report and responsibly disclose the details, it would be ideal to have it archived in a place where it won't just disappear off the feed in a matter of minutes.
"Security" category
Just a thought as I work through some bugs reported to NodeBB... would there be interest in ActivityPub.space hosting a "security" category for discussion around vulnerabilities, CVEs, and such that are related to ActivityPub?
For example, if NodeBB were to receive a bug bounty report and responsibly disclose the details, it would be ideal to have it archived in a place where it won't just disappear off the feed in a matter of minutes.
Matt "msw" Wilson
boosted
ICYMI, here's a paper that was trying to answer this research question in the context of #OpenSource #Java projects on GitHub: "What do open-source maintainers think about integrating #VEX into their existing SBOMs?"
TL;DR: "In most cases, our augmented SBOMs were not directly accepted because developers required a continuous SBOM update."
ICYMI, here's a paper that was trying to answer this research question in the context of #OpenSource #Java projects on GitHub: "What do open-source maintainers think about integrating #VEX into their existing SBOMs?"
TL;DR: "In most cases, our augmented SBOMs were not directly accepted because developers required a continuous SBOM update."
Daniel Appelquist
boosted
From suspicion to published #curl #CVE. The process.
https://daniel.haxx.se/blog/2025/09/18/from-suspicion-to-published-curl-cve/
From suspicion to published #curl #CVE. The process.
https://daniel.haxx.se/blog/2025/09/18/from-suspicion-to-published-curl-cve/
I definitely recommend folks read the paper linked in the first post. Here's a TL;DR summary in the form of Figure 1: " "A hypothetical graph of risks of loss from penetration and from application of a bad patch. The optimal time to apply a patch is where the risk lines cross."
@smb @adamshostack
Folks who like that paper may light this one as well.
It studies Microsoft "Patch Tuesday" updates in particular, which are much different (in my opinion) than your typical open source software updates that are labeled with a CVE.
While many things have not changed since this paper was published in 2002, the landscape around #CVE and open source software has, in my opinion.
This paper mainly contemplates official patches and bulletins from commercial vendors, or at least a CVE that was reviewed by a panel of editors. It rightly calls out that the quality of fixes varies widely.
However, today a CVE in a FOSS package may mean little to nothing in context of a production product or system.
#FOSS
@smb @adamshostack
I definitely recommend folks read the paper linked in the first post. Here's a TL;DR summary in the form of Figure 1: " "A hypothetical graph of risks of loss from penetration and from application of a bad patch. The optimal time to apply a patch is where the risk lines cross."
Indeed, this strategy is more effective when bravehearts deploy changes with ambition and report real-world problems, as we know that it is difficult to exhaustively test a change to the point of eliminating all possible new defective behaviors.
While many things have not changed since this paper was published in 2002, the landscape around #CVE and open source software has, in my opinion.
This paper mainly contemplates official patches and bulletins from commercial vendors, or at least a CVE that was reviewed by a panel of editors. It rightly calls out that the quality of fixes varies widely.
However, today a CVE in a FOSS package may mean little to nothing in context of a production product or system.
#FOSS
@smb @adamshostack
"As a perhaps amusing aside, if everyone were to follow our suggested delay practice, it would become much less effective. Fortunately, we have no expectation that everyone will listen to us."
Unpopular opinion: more people should follow this advice.
Unfortunately, many feel they have no choice but to deploy patches with a "security fix" label on them more quickly than they normally would make changes to complex systems.
#CVE #InfoSec
https://shostack.org/files/papers/time-to-patch-usenix-lisa02.pdf
Did you know SaaS now has its own CVE tag?
For years, vulnerabilities in SaaS services were hard to track – often without a CVE ID at all. That’s finally changing.
👉 The new exclusively-hosted-service tag tells you:
This issue affects only the hosted service (not on-prem).
In many cases, the provider has already fixed it – no customer patch needed.
Microsoft and Google are already using it. That means SaaS CVEs are now easier to find, easier to interpret, and easier to act on.
Why it matters:
Less noise. Better transparency. Smarter triage.
SaaS is the default – it’s about time our vulnerability management caught up. 🌥️🔐
Joel Michael
boosted
GitHub Copilot: RCE via Prompt Injection
A prompt-injection attack enables Copilot to auto-approve via chat.tools.autoApprove, triggering YOLO mode and run arbitrary code
https://embracethered.com/blog/posts/2025/github-copilot-remote-code-execution-via-prompt-injection/