Security Research

Security Blog

Page 11

critical5 min

How buffer overflow happens in C xxd utility and how to fix it

A critical buffer overflow vulnerability was discovered in the xxd utility's `xxdline()` function where `strcpy()` was used without bounds checking on file input. An attacker could craft a malicious hex dump file with oversized lines to trigger memory corruption. The fix replaces the unsafe `strcpy()` with `snprintf()` to enforce buffer size limits.

#security#buffer-overflow#c+4 more
O
orbisai0security
Jun 14, 2026
critical8 min

How command injection happens in Java Runtime.exec() and how to fix it

A critical OS command injection vulnerability (CWE-78) was discovered in `page-object/sample-application/src/main/java/com/iluwatar/pageobject/App.java` at line 81, where a single-string invocation of `Runtime.getRuntime().exec()` passed a concatenated command directly to the Windows shell, allowing an attacker who controls the `applicationFile` value to chain arbitrary OS commands. The fix replaces this dangerous pattern with a properly constructed `ProcessBuilder` that uses absolute executable

#command-injection#java#cwe-78+4 more
O
orbisai0security
Jun 14, 2026
critical8 min

How LDAP injection happens in C with OpenLDAP and how to fix it

A high-severity LDAP injection vulnerability was discovered in the OpenSIPS H350 module, where the `ldap_rfc4515_escape()` function failed to escape the NUL byte (`\0`) — one of the special characters defined in RFC 4515. This gap meant that crafted SIP URI values could bypass the escaping logic and manipulate LDAP filter queries. The fix adds explicit NUL byte escaping and replaces potentially unsafe `strncpy` calls with `memcpy` to ensure correct buffer handling.

#ldap-injection#opensips#c+4 more
O
orbisai0security
Jun 14, 2026
critical9 min

How command injection happens in Lua OpenWrt RPC handlers and how to fix it

A critical command injection vulnerability in the `luci.natflow` RPC handler allowed authenticated attackers to pass arbitrary shell metacharacters through the `kick_user`, `block_user`, and `allow_user` functions, which forwarded the unsanitized input directly to `sys.call()` as root. The fix adds a strict IPv4 regex validation pattern before any shell command is constructed, ensuring only legitimate IP addresses can reach the dangerous sink. This kind of targeted input allowlisting is the gold

#command-injection#lua#openwrt+4 more
O
orbisai0security
Jun 14, 2026
critical8 min

How unbounded strcpy() causes heap buffer overflow in C NGINX modules and how to fix it

A critical buffer overflow vulnerability was discovered in the 51Degrees NGINX module (`ngx_http_51D_module.c`), where four uses of unbounded `strcpy()` allowed attackers to overflow fixed-size heap buffers by sending HTTP requests with oversized header names. The fix replaces all unsafe string operations with length-bounded NGINX-native alternatives (`ngx_memcpy` and `ngx_cpystrn`), preventing memory corruption without any change to functional behavior.

#buffer-overflow#c#nginx+4 more
O
orbisai0security
Jun 14, 2026
high7 min

How cryptographic binding vulnerabilities happen in Rust OpenSSL and how to fix it

CVE-2026-41676 is a high-severity vulnerability in the rust-openssl crate that could allow attackers to exploit cryptographic operations. The fix involves upgrading from version 0.10.63 to 0.10.81, removing unsafe dependency chains, and ensuring proper OpenSSL binding integrity. This vulnerability demonstrates why keeping cryptographic libraries current is critical for production Rust applications.

#rust#openssl#cryptography+4 more
O
orbisai0security
Jun 13, 2026
critical6 min

How buffer overflow in memcpy() happens in C/C++ embedded firmware and how to fix it

A critical buffer overflow vulnerability was discovered in the ESP32-based micro-journal firmware where `memcpy()` calls used `strlen()` without bounds checking, allowing oversized USB descriptor strings to corrupt adjacent memory. The fix replaces unbounded `strlen()` with `strnlen()` calls that enforce the destination buffer sizes (8, 16, and 4 bytes respectively), preventing heap/stack corruption from malicious USB devices.

#security#buffer-overflow#c-cpp+4 more
O
orbisai0security
Jun 12, 2026
high6 min

How Denial of Service via crafted URI templates happens in Ruby addressable and how to fix it

A high-severity Denial of Service vulnerability (CVE-2026-35611) was discovered in the Ruby `addressable` gem versions prior to 2.9.0, which could allow attackers to crash or hang applications by sending specially crafted URI templates. The fix upgrades the dependency from version 2.8.7 to 2.9.0 across the Gemfile, Gemfile.lock, and gemspec in a Fastlane project, eliminating the vulnerable code path entirely.

#security#ruby#denial-of-service+4 more
O
orbisai0security
Jun 12, 2026
critical6 min

How Server-Side Request Forgery (SSRF) happens in Python requests.get() and how to fix it

A critical Server-Side Request Forgery (SSRF) vulnerability was discovered in `models/common.py` where `requests.get()` fetched images from arbitrary URLs without validating whether the target resolved to internal infrastructure. An attacker could supply URLs targeting AWS metadata endpoints (169.254.169.254), private networks, or localhost services through the Flask REST API. The fix introduces DNS-resolution-based validation using Python's `socket.getaddrinfo()` and `ipaddress` module to block

#ssrf#python#security+4 more
O
orbisai0security
Jun 11, 2026
critical5 min

How command injection happens in Python subprocess and how to fix it

A critical command injection vulnerability was discovered in export.py where subprocess calls used `shell=True` with user-controllable CLI arguments. An attacker could inject shell metacharacters through model paths or export parameters to execute arbitrary commands on the host system. The fix replaces shell-based command execution with safer list-based subprocess calls that prevent command injection.

#security#command-injection#python+4 more
O
orbisai0security
Jun 11, 2026
critical6 min

How integer overflow in path_join() happens in C and how to fix it

A critical integer overflow vulnerability was discovered in the `__cstl_join` function in `opencstl/filesystem.h` that could allow attackers to trigger a heap buffer overflow by supplying crafted file path strings. The fix adds an explicit overflow check before the size calculation, returning NULL when the combined path lengths would wrap around the `size_type64` maximum value.

#security#integer-overflow#buffer-overflow+4 more
O
orbisai0security
Jun 11, 2026
high8 min

How a named pipe I/O race condition happens in Rust mio and how to fix it

CVE-2024-27308 is a high-severity vulnerability in the Rust `mio` crate (versions prior to 0.8.11) that exposes a race condition in named pipe I/O event handling on Windows. The fix upgrades `mio` from version 0.8.10 to 0.8.11, closing the window for potential exploitation in applications like `rpm-ostree` that depend on async I/O. Because `mio` sits at the foundation of the Tokio async runtime, this flaw has wide blast radius across the Rust ecosystem.

#rust#cve-2024-27308#mio+4 more
O
orbisai0security
Jun 10, 2026