Page 20
A critical vulnerability (CVE-2025-7783) was discovered in the widely-used `form-data` npm package, where an unsafe random function was used to generate multipart boundary strings, making them predictable and potentially exploitable by attackers. The fix upgrades `form-data` to patched versions (2.5.4, 3.0.4, and 4.0.4) across all supported major releases. Developers using any version of `form-data` prior to these patches should upgrade immediately to protect their applications from boundary pre
A critical command injection vulnerability was discovered in a Python snapshot testing script that used subprocess.call() with shell=True, allowing potential execution of arbitrary shell commands. This vulnerability highlights the dangers of passing unsanitized input to shell interpreters and demonstrates why shell=True should be avoided in subprocess calls.
A critical vulnerability in an application using @octokit packages left GitHub API tokens vulnerable to exposure through hardcoding, version control commits, and insecure configuration management. This security flaw could allow attackers to gain unauthorized access to GitHub repositories and organizational resources. Learn how proper secrets management prevents token leakage and protects your GitHub integrations.
A high-severity shell injection vulnerability was discovered in a GitHub Actions workflow that could allow attackers to execute arbitrary code and steal secrets. The vulnerability stemmed from directly interpolating untrusted GitHub context data in shell commands. This post explains the attack vector, demonstrates the fix, and provides best practices for securing your CI/CD pipelines.
A critical use-after-free vulnerability was discovered in ESP32 firmware's display buffer allocation error handling. When memory allocation fails, freed pointers aren't nullified, creating dangling references that attackers can exploit through controlled heap manipulation. This vulnerability demonstrates why proper pointer hygiene is essential in embedded systems security.
A critical command injection vulnerability in a Python script that wraps a C/C++ binary has been patched. The flaw allowed attackers to execute arbitrary commands by injecting shell metacharacters into unsanitized input, potentially compromising entire systems. This fix demonstrates why proper subprocess handling is essential for secure Python development.
A medium-severity vulnerability was discovered in GitLab's export script where the subprocess module was used without proper security considerations, potentially enabling command injection attacks. This fix demonstrates why choosing the right process execution method is critical for application security, and how a simple module selection can make the difference between secure and vulnerable code.
A medium-severity command injection vulnerability was discovered in the OSSFS service's file system operations, where subprocess.run() calls with shell=True or unsanitized user-controlled paths could allow attackers to execute arbitrary commands. This vulnerability highlights the critical importance of input validation and secure subprocess handling when dealing with user-provided file paths and mount points.
A critical security update addresses both path traversal vulnerabilities in file system endpoints and a dependency issue with aiohttp's cookie handling. This fix demonstrates how modern applications face security threats on multiple fronts—from custom code vulnerabilities to third-party library weaknesses—and why comprehensive security auditing is essential.
A medium-severity vulnerability (CVE-2026-31808) was discovered in the file-type library's ASF parser that could cause infinite loops when processing malformed media files with zero-size sub-headers. This denial-of-service vulnerability could crash applications that rely on file-type for media file validation, affecting availability and user experience.
A critical authentication bypass vulnerability was discovered in a dashboard application where JWT tokens could be forged due to improper validation. The vulnerability affected multiple routes including backup, live chat, and authentication endpoints, potentially allowing attackers to access sensitive operations without proper authorization. This fix demonstrates why robust JWT validation is essential for API security.
A medium-severity vulnerability was discovered in a Docker CLI authentication plugin where OAuth tokens and API keys were stored in plaintext on the local filesystem without any encryption. Despite having PBKDF2 cryptographic capabilities available in the project dependencies, the authentication store was writing sensitive credentials directly to disk, exposing them to potential theft by malicious actors with filesystem access.