Learn from real security vulnerabilities and how Orbis AppSec fixed them
A critical buffer overflow vulnerability was discovered in CodeBaseServer2020's u4name.c file, where the `c4strcpy()` wrapper around `strcpy()` copied user-controlled filenames into fixed-size buffers without bounds checking. The fix adds proper length validation before concatenating strings, preventing attackers from overflowing the buffer and executing arbitrary code.
A critical heap buffer overflow vulnerability was discovered in the AT client response handler (`sm_at_client.c`) where incoming UART data was copied into a fixed-size buffer without verifying available capacity. A compromised modem or malicious UART data could trigger arbitrary heap corruption. The fix replaces an assertion-only guard with proper bounds clamping using `MIN()` to ensure writes never exceed the `at_cmd_resp` buffer allocation.
A critical vulnerability in the YourSSH application's update service allowed attackers to serve malicious binaries through man-in-the-middle attacks. The `downloadAsset()` function in `update_service.dart` downloaded application binaries directly from URLs without any cryptographic signature or integrity verification. The fix adds SHA-256 digest validation using the GitHub Releases API's digest field, ensuring only authentic binaries are installed.
A critical out-of-bounds read vulnerability was discovered in `hep-tester/heptester.c` where `memcpy` calls at lines 200-201 read from fixed offsets in a packet buffer without verifying the buffer was large enough. An attacker could send a crafted packet shorter than 18 bytes to trigger the read, potentially leaking memory contents or crashing the capture agent. The fix adds a single bounds check against `pkthdr->caplen` before any memory copy operations.
A critical vulnerability in `email/receive.cpp` allowed attackers to trigger a buffer overflow by sending crafted emails with large payloads. The `writefunc()` callback failed to validate that `realloc()` succeeded before writing to the reallocated pointer, risking NULL pointer dereference and potential code execution. The fix adds a simple bounds check that validates the realloc result before use.
A critical NULL pointer dereference vulnerability in the ESP8266 firmware's `user_interface.c` allowed attackers to crash devices by exhausting the limited 80KB heap memory. The `wifi_station_set_default_hostname()` function's `os_malloc` call lacked a proper NULL guard, causing `ets_sprintf` to write to address 0 when allocation failed. The fix corrected a logic inversion in the NULL check condition.
A critical integer overflow vulnerability was discovered in `animation/PlayerAnimation.cpp` where `vCount * sizeof(float) * 3` calculations could wrap around on 32-bit platforms when processing malicious animation files. An attacker could craft a model file with an oversized vertex count to trigger a heap buffer overflow via memcpy. The fix adds bounds checks against `SIZE_MAX` before all size computations used in memory copy operations.
A critical memory corruption vulnerability in ShadowsocksR's server.c allowed attackers to exploit shallow buffer copies through crafted network packets. The vulnerable memcpy operations at line 686 copied buffer_t structures containing pointers without deep copying the underlying data, creating use-after-free conditions when buffers were reallocated between copy and restore operations.
LiteLLM versions prior to 1.87.0 contained a critical vulnerability in OIDC userinfo caching that allowed attackers to bypass authentication and escalate privileges through cache key collisions. By upgrading to version 1.87.0, applications eliminate the attack surface that could permit unauthorized users to assume the identity of legitimate authenticated users. This fix is essential for any production system using LiteLLM's OIDC integration.
A critical buffer overflow vulnerability was discovered in `spdm_emu/spdm_emu_common/spdm_emu.c` at line 638, where an unbounded `strcpy()` call copied a user-supplied command-line argument directly into the fixed-size buffer `m_ip_address_string` without any length validation. An attacker able to invoke the `spdm_emu` binary with an oversized argument could corrupt adjacent memory and potentially achieve arbitrary code execution. The fix replaces the unsafe `strcpy()` with a bounded `strncpy()`
A critical shell injection vulnerability in `scripts/mkmultidtb.py` allowed attackers to execute arbitrary commands during the kernel build process by injecting shell metacharacters into device tree binary (DTB) filenames. The vulnerability was caused by using `os.system()` with string concatenation instead of proper subprocess argument handling. This fix migrates to `subprocess.run()` with argument lists, eliminating the attack surface entirely.
A critical SQL injection vulnerability was discovered in `LR2/LR2_statlong.cpp` at line 42, where `sqlite3_snprintf` used the `%s` format specifier instead of `%q` to interpolate a player ID into a SQL query. This single-character difference meant that single quotes in the player ID were inserted verbatim, allowing an attacker to break out of the SQL string literal and inject arbitrary commands. The fix changes `%s` to `%q`, which doubles all single quotes to properly escape them.