Security Research

Security Blog

Page 14

critical9 min

How command injection happens in Go ffmpeg wrappers and how to fix it

A critical command injection vulnerability was discovered in `drivers/local/util.go` where user-influenced file paths were passed directly to `ffmpeg.Input()` without any sanitization. Because many ffmpeg wrapper libraries construct shell command strings under the hood, an attacker could embed shell metacharacters in a file path to execute arbitrary OS commands with server-level privileges. The fix introduces a `sanitizeFilePath()` function that validates paths are absolute, clean, and point to

#command-injection#go#security+4 more
O
orbisai0security
Jun 6, 2026
critical9 min

How buffer overflow in P-256 key decompression happens in C with mbedTLS and how to fix it

A critical buffer overflow vulnerability was discovered in `helpers/src/edhoc_cipher_suite_2.c` within the EDHOC cipher suite 2 implementation. The `mbedtls_ecp_decompress()` function used `raw_key_len` to copy a compressed peer public key into a fixed-size buffer without first verifying that the key length fit within the destination. An attacker sending a crafted EDHOC message with an oversized compressed key could exploit this to corrupt adjacent memory, potentially achieving remote code execu

#buffer-overflow#C#mbedTLS+4 more
O
orbisai0security
Jun 5, 2026
critical6 min

How heap buffer overflow happens in C++ JPEG2000 decoding and how to fix it

A critical heap buffer overflow vulnerability was discovered in the OpenJPEG wrapper for Android (jp2forandroid). The `opj_read_from_byte_array()` function performed memcpy operations without validating that the source offset hadn't exceeded the buffer length, allowing maliciously crafted JPEG2000 images to trigger arbitrary code execution. A simple bounds check before the copy operation now prevents this exploitation path.

#security#buffer-overflow#cpp+4 more
O
orbisai0security
Jun 5, 2026
critical7 min

How buffer overflow happens in C strcpy() and how to fix it

A critical buffer overflow vulnerability was discovered in CodeBaseServer2020's u4name.c file, where the `c4strcpy()` wrapper around `strcpy()` copied user-controlled filenames into fixed-size buffers without bounds checking. The fix adds proper length validation before concatenating strings, preventing attackers from overflowing the buffer and executing arbitrary code.

#buffer-overflow#c-security#memory-safety+4 more
O
orbisai0security
Jun 4, 2026
critical6 min

How heap buffer overflow happens in C UART response handling and how to fix it

A critical heap buffer overflow vulnerability was discovered in the AT client response handler (`sm_at_client.c`) where incoming UART data was copied into a fixed-size buffer without verifying available capacity. A compromised modem or malicious UART data could trigger arbitrary heap corruption. The fix replaces an assertion-only guard with proper bounds clamping using `MIN()` to ensure writes never exceed the `at_cmd_resp` buffer allocation.

#security#buffer-overflow#c+4 more
O
orbisai0security
Jun 4, 2026
critical6 min

How unsigned binary downloads happen in Dart update services and how to fix it

A critical vulnerability in the YourSSH application's update service allowed attackers to serve malicious binaries through man-in-the-middle attacks. The `downloadAsset()` function in `update_service.dart` downloaded application binaries directly from URLs without any cryptographic signature or integrity verification. The fix adds SHA-256 digest validation using the GitHub Releases API's digest field, ensuring only authentic binaries are installed.

#security#dart#flutter+4 more
O
orbisai0security
Jun 3, 2026
critical6 min

How out-of-bounds read via unchecked memcpy happens in C packet processing and how to fix it

A critical out-of-bounds read vulnerability was discovered in `hep-tester/heptester.c` where `memcpy` calls at lines 200-201 read from fixed offsets in a packet buffer without verifying the buffer was large enough. An attacker could send a crafted packet shorter than 18 bytes to trigger the read, potentially leaking memory contents or crashing the capture agent. The fix adds a single bounds check against `pkthdr->caplen` before any memory copy operations.

#security#c#buffer-overflow+4 more
O
orbisai0security
Jun 3, 2026
critical7 min

How unsafe realloc() and memcpy() causes buffer overflow in C email parsing and how to fix it

A critical vulnerability in `email/receive.cpp` allowed attackers to trigger a buffer overflow by sending crafted emails with large payloads. The `writefunc()` callback failed to validate that `realloc()` succeeded before writing to the reallocated pointer, risking NULL pointer dereference and potential code execution. The fix adds a simple bounds check that validates the realloc result before use.

#buffer-overflow#c-security#memory-safety+4 more
O
orbisai0security
Jun 3, 2026
high6 min

NULL Pointer Dereference in ESP8266 user_interface.c wifi_station_set_default_hostname()

A critical NULL pointer dereference vulnerability in the ESP8266 firmware's `user_interface.c` allowed attackers to crash devices by exhausting the limited 80KB heap memory. The `wifi_station_set_default_hostname()` function's `os_malloc` call lacked a proper NULL guard, causing `ets_sprintf` to write to address 0 when allocation failed. The fix corrected a logic inversion in the NULL check condition.

#security#null-pointer-dereference#esp8266+4 more
O
orbisai0security
Jun 3, 2026
high5 min

Integer Overflow in PlayerAnimation.cpp memcpy Size Calculations

A critical integer overflow vulnerability was discovered in `animation/PlayerAnimation.cpp` where `vCount * sizeof(float) * 3` calculations could wrap around on 32-bit platforms when processing malicious animation files. An attacker could craft a model file with an oversized vertex count to trigger a heap buffer overflow via memcpy. The fix adds bounds checks against `SIZE_MAX` before all size computations used in memory copy operations.

#security#integer-overflow#cpp+4 more
O
orbisai0security
Jun 3, 2026
critical7 min

Shallow Copy Memory Corruption in ShadowsocksR server.c Buffer Handling

A critical memory corruption vulnerability in ShadowsocksR's server.c allowed attackers to exploit shallow buffer copies through crafted network packets. The vulnerable memcpy operations at line 686 copied buffer_t structures containing pointers without deep copying the underlying data, creating use-after-free conditions when buffers were reallocated between copy and restore operations.

#use-after-free#memory-corruption#shadowsocksr+4 more
O
orbisai0security
Jun 2, 2026
critical7 min

Critical OIDC Cache Key Collision in LiteLLM: Authentication Bypass & Privilege Escalation

LiteLLM versions prior to 1.87.0 contained a critical vulnerability in OIDC userinfo caching that allowed attackers to bypass authentication and escalate privileges through cache key collisions. By upgrading to version 1.87.0, applications eliminate the attack surface that could permit unauthorized users to assume the identity of legitimate authenticated users. This fix is essential for any production system using LiteLLM's OIDC integration.

#security#authentication#oidc+5 more
O
orbisai0security
Jun 2, 2026