Security vulnerabilities and automated fixes for deserialization issues
4 posts found
A high-severity untrusted deserialization vulnerability was discovered in `TransferLearningTF.ipynb`, a transfer learning tutorial notebook that loads VGG16 model weights from the internet without verifying their integrity. Because Keras relies on Python's pickle-based serialization format under the hood, a tampered or substituted weights file could execute arbitrary code with the full privileges of the notebook user. The fix adds a SHA-256 checksum verification step immediately after the weight
A high-severity vulnerability (CVE-2026-42570) was discovered in the devalue library version 5.7.1, used by the Astro-powered website. This vulnerability allowed attackers to trigger denial-of-service conditions through maliciously crafted sparse arrays during deserialization. The fix involved upgrading devalue from 5.7.1 to 5.8.1, which implements proper safeguards against sparse array exploitation.
A high-severity Denial of Service vulnerability (CVE-2026-42570) was discovered in the `devalue` library used by the Orbis AppSec blog site, where maliciously crafted sparse arrays during deserialization could exhaust server resources. The fix upgrades `devalue` from version 5.6.4 to 5.8.1 in `blog-site/package-lock.json` and adds an explicit override in `package.json` to ensure the patched version is consistently enforced across the dependency tree. Left unpatched, this vulnerability could have
A critical pre-authentication remote code execution vulnerability (CVE-2025-55182) was discovered in Next.js React Server Components, allowing attackers to execute arbitrary code on servers without any login or credentials required. The flaw stems from unsafe deserialization of untrusted data passed through the RSC pipeline. The vulnerability has been patched across multiple Next.js release lines, and all affected projects should upgrade immediately.