CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: Impact
This is a prototype pollution vulnerability. It impacts users of the set function within the Radashi library. If an attacker can control parts of the path argument to the set function, they could potentially modify the prototype of all objects in the JavaScript runtime, leading to unexpected behavior, denial of service, or even remote code execution in some specific scenarios.
Patches
The vulnerability has been patched in commit 8147abc8cfc3cfe9b9a17cd389076a5d97235a66. Users should upgrade to a version of Radashi that includes this commit. The fix utilizes a new helper function, isDangerousKey, to prevent the use of __proto__, prototype, or constructor as keys in the path, throwing an error if any are encountered. This check is bypassed for objects with a null prototype.
Workarounds
Users on older versions can mitigate this vulnerability by sanitizing the path argument provided to the set function to ensure that no part of the path string is __proto__, prototype, or constructor. For example, by checking each segment of the path before passing it to the set function.
References
Git commit: 8147abc8cfc3cfe9b9a17cd389076a5d97235a66
CWE-1321: Improperly Controlled Modification of Dynamically-Determined Object Attributes ('Prototype Pollution'): https://cwe.mitre.org/data/definitions/1321.html
References
https://github.com/radashi-org/radashi/security/advisories/GHSA-2xv9-ghh9-xc69
https://nvd.nist.gov/vuln/detail/CVE-2025-48054
https://github.com/radashi-org/radashi...
CVSS: MEDIUM (6.8) EPSS Score: 0.56%
May 27th, 2025 (22 days ago)
|
|
|
Description: Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets or tag attributes, which cause the parser to hang and lead to a Denial of Service.
References
https://nvd.nist.gov/vuln/detail/CVE-2018-25110
https://github.com/markedjs/marked/issues/1070
https://github.com/markedjs/marked/pull/1083
https://github.com/markedjs/marked/commit/20bfc106013ed45713a21672ad4a34df94dcd485
https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2018/CVE-2018-25110
https://github.com/advisories/GHSA-p9wx-2529-fp83
CVSS: MEDIUM (6.9)
May 27th, 2025 (22 days ago)
|
CVE-2025-5245 |
Description: A vulnerability classified as critical has been found in GNU Binutils up to 2.44. This affects the function debug_type_samep of the file /binutils/debug.c of the component objdump. The manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. Es wurde eine Schwachstelle in GNU Binutils bis 2.44 entdeckt. Sie wurde als kritisch eingestuft. Es geht dabei um die Funktion debug_type_samep der Datei /binutils/debug.c der Komponente objdump. Durch Manipulation mit unbekannten Daten kann eine memory corruption-Schwachstelle ausgenutzt werden. Der Angriff muss lokal erfolgen. Der Exploit steht zur öffentlichen Verfügung. Als bestmögliche Massnahme wird Patching empfohlen.
CVSS: MEDIUM (4.8) EPSS Score: 0.02%
May 27th, 2025 (22 days ago)
|
|
CVE-2025-3704 |
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DBAR Productions Volunteer Sign Up Sheets allows Stored XSS.This issue affects Volunteer Sign Up Sheets: from n/a before 5.5.5.
The patch is available exclusively on GitHub at https://github.com/dbarproductions/pta-volunteer-sign-up-sheets , as the vendor encounters difficulties using SVN to deploy to the WordPress.org repository.
CVSS: MEDIUM (5.9) EPSS Score: 0.03%
May 27th, 2025 (22 days ago)
|
|
CVE-2025-5269 |
Description: Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 128.11.
CVSS: MEDIUM (6.5) EPSS Score: 0.06%
May 27th, 2025 (23 days ago)
|
|
CVE-2025-5268 |
Description: Memory safety bugs present in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 139 and Firefox ESR < 128.11.
CVSS: MEDIUM (6.5) EPSS Score: 0.08%
May 27th, 2025 (23 days ago)
|
|
CVE-2025-5267 |
Description: A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. This vulnerability affects Firefox < 139 and Firefox ESR < 128.11.
CVSS: MEDIUM (5.4) EPSS Score: 0.06%
May 27th, 2025 (23 days ago)
|
|
CVE-2025-5266 |
Description: Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks. This vulnerability affects Firefox < 139 and Firefox ESR < 128.11.
CVSS: MEDIUM (6.5) EPSS Score: 0.08%
May 27th, 2025 (23 days ago)
|
|
CVE-2025-5265 |
Description: Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.
*This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 139, Firefox ESR < 115.24, and Firefox ESR < 128.11.
CVSS: MEDIUM (4.8) EPSS Score: 0.02%
May 27th, 2025 (23 days ago)
|
|
CVE-2025-5264 |
Description: Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This vulnerability affects Firefox < 139, Firefox ESR < 115.24, and Firefox ESR < 128.11.
CVSS: MEDIUM (4.8) EPSS Score: 0.03%
May 27th, 2025 (23 days ago)
|