Page 21
A medium-severity vulnerability was discovered where OAuth tokens and API keys were stored in plaintext on the local filesystem without encryption. Despite having PBKDF2 cryptographic capabilities available in the application's dependencies, these sensitive credentials were written directly to disk, exposing users to potential credential theft and unauthorized account access.
A medium-severity vulnerability was discovered where OAuth tokens and API keys were being stored in plaintext on the local filesystem without any encryption. Despite having PBKDF2 cryptographic capabilities available in the project dependencies, the authentication module was writing sensitive credentials directly to disk, leaving them vulnerable to unauthorized access. This fix addresses a common but dangerous security oversight that could compromise user accounts and API access.
A medium-severity vulnerability was discovered where OAuth tokens and API keys were being stored in plaintext on the local filesystem without any encryption. Despite having PBKDF2 cryptographic capabilities available in the application's dependencies, credentials were written directly to disk, exposing users to potential token theft and unauthorized account access.
A medium-severity vulnerability in file import functionality left applications vulnerable to Denial of Service (DoS) attacks through maliciously crafted files. By exploiting missing resource limits and validation checks, attackers could exhaust server memory with deeply nested JSON or oversized files, potentially bringing down entire services.
A critical rate limiting vulnerability in an Express.js application allowed attackers to bypass API throttling through IP rotation and header manipulation. This fix demonstrates how improperly configured rate limiters can be circumvented through proxy networks, VPNs, and forged X-Forwarded-For headers, potentially enabling brute force attacks, credential stuffing, and resource exhaustion.
A critical security flaw in a browser extension's authentication flow was sending sensitive session tokens and user data to any website using the wildcard "*" origin in postMessage. This vulnerability could have allowed malicious sites to intercept authentication credentials, but was fixed by restricting message delivery to the application's own origin.
A critical session management vulnerability was recently patched in our application that allowed attackers to hijack user sessions by simply manipulating URL parameters. The fix addresses both client-side XSS vulnerabilities through unsafe DOM manipulation and server-side session validation issues, demonstrating how multiple security layers work together to protect user accounts.
A medium-severity vulnerability (CVE-2025-50182) was discovered in urllib3 that fails to properly control HTTP redirects in browsers and Node.js environments. This flaw could allow attackers to redirect users to malicious sites or bypass security controls through crafted redirect chains. The vulnerability has been patched in the latest urllib3 release, and developers should update their dependencies immediately.
A medium-severity security vulnerability was discovered where a Google OAuth access token was inadvertently exposed in documentation files. This incident highlights the critical importance of secrets management and demonstrates how even non-code files can become vectors for credential leakage, potentially granting unauthorized access to Google APIs and user data.
A medium-severity vulnerability was recently patched in libscram's SCRAM authentication implementation, replacing the unsafe strtok() function with its thread-safe alternative strtok_r(). This seemingly small change prevents potential buffer corruption, race conditions, and authentication bypass vulnerabilities that could compromise application security in multi-threaded environments.
A medium-severity vulnerability was discovered in a JavaScript streaming application where insecure WebSocket (ws://) connections were being used instead of secure WebSocket (wss://) connections. This security gap could expose sensitive data to man-in-the-middle attacks, allowing attackers to intercept and manipulate real-time communication between clients and servers.
A medium-severity vulnerability was recently patched in a Go workflow runtime system where code attempted to iterate over a potentially empty map without proper validation. While this may seem like a minor oversight, such patterns can lead to unexpected behavior, logic bugs, and in some cases, exploitable security vulnerabilities when combined with other code paths.