![]() |
Description: Goroutine Leak in Abacus SSE Implementation
Summary
A critical goroutine leak vulnerability has been identified in the Abacus server's Server-Sent Events (SSE) implementation. The issue occurs when clients disconnect from the /stream endpoint, as the server fails to properly clean up resources and terminate associated goroutines. This leads to resource exhaustion where the server continues running but eventually stops accepting new SSE connections while maintaining high memory usage. The vulnerability specifically involves improper channel cleanup in the event handling mechanism, causing goroutines to remain blocked indefinitely.
POC
Impact
This vulnerability affects all versions of Abacus prior to v1.4.0. The issue causes:
Permanent unresponsiveness of the /stream endpoint after prolonged use
Memory growth that stabilizes at a high level but prevents proper functionality
Selective denial of service affecting only SSE connections while other endpoints remain functional
Accumulated orphaned goroutines that cannot be garbage collected
High resource consumption under sustained client connection/disconnection patterns
Systems running Abacus in production with client applications that frequently establish and terminate SSE connections are most vulnerable. The issue becomes particularly apparent in high-traffic environments or during connection stress testing.
Patches
The vulnerability has been patched in Abacus v1.4.0. The fix includes:
Implementing buffered channels to prev...
March 3rd, 2025 (4 months ago)
|
![]() |
Description: Counter Claims to have Leaked the Data of Smoke's & Jack's Roleplay Forum
March 3rd, 2025 (4 months ago)
|
![]() |
Description: Counter Claims to have Leaked the Data of TXG Corp
March 3rd, 2025 (4 months ago)
|
CVE-2025-27099 |
Description: Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap allows cross-site scripting (XSS) via the tracker names used in the semantic timeframe deletion message. A tracker administrator with a semantic timeframe used by other trackers could use this vulnerability to force other tracker administrators to execute uncontrolled code. This vulnerability is fixed in Tuleap Community Edition 16.4.99.1740067916 and Tuleap Enterprise Edition 16.4-5 and 16.3-10.
CVSS: MEDIUM (4.8) EPSS Score: 0.04%
March 3rd, 2025 (4 months ago)
|
CVE-2025-27094 |
Description: Tuleap is an open-source suite designed to improve software development management and collaboration. A malicious user with access to a tracker could force-reset certain field configurations, leading to potential information loss. The display time attribute for the date field, the size attribute for the multiselectbox field, the default value, number of rows, and columns attributes for the text field, and the default value, size, and max characters attributes for the string field configurations are lost when added as criteria in a saved report. Additionally, in Tuleap Community Edition versions 16.4.99.1739806825 to 16.4.99.1739877910, this issue could be exploited to prevent access to tracker data by triggering a crash. This vulnerability has been fixed in Tuleap Community Edition 16.4.99.1739877910 and Tuleap Enterprise Edition 16.3-9 and 16.4-4.
CVSS: MEDIUM (5.4) EPSS Score: 0.04%
March 3rd, 2025 (4 months ago)
|
CVE-2025-25185 |
Description: GPT Academic provides interactive interfaces for large language models. In 3.91 and earlier, GPT Academic does not properly account for soft links. An attacker can create a malicious file as a soft link pointing to a target file, then package this soft link file into a tar.gz file and upload it. Subsequently, when accessing the decompressed file from the server, the soft link will point to the target file on the victim server. The vulnerability allows attackers to read all files on the server.
CVSS: HIGH (7.5) EPSS Score: 0.07% SSVC Exploitation: poc
March 3rd, 2025 (4 months ago)
|
CVE-2025-24023 |
Description: Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3.
CVSS: LOW (3.7) EPSS Score: 0.05%
March 3rd, 2025 (4 months ago)
|
CVE-2025-1801 |
Description: A flaw was found in the Ansible aap-gateway. Concurrent requests handled by the gateway grpc service can result in concurrency issues due to race condition requests against the proxy. This issue potentially allows a less privileged user to obtain the JWT of a greater privileged user, enabling the server to be jeopardized. A user session or confidential data might be vulnerable.
EPSS Score: 0.03% SSVC Exploitation: none
March 3rd, 2025 (4 months ago)
|
CVE-2024-4885 |
🚨 Marked as known exploited on March 3rd, 2025 (4 months ago).
Description: In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold.  The
WhatsUp.ExportUtilities.Export.GetFileWithoutZip
allows execution of commands with iisapppool\nmconsole privileges.
CVSS: CRITICAL (9.8) EPSS Score: 93.68% SSVC Exploitation: active
March 3rd, 2025 (4 months ago)
|
CVE-2024-43169 |
Description: IBM Engineering Requirements Management DOORS Next 7.0.2, 7.0.3, and 7.1 could allow a user to download a malicious file without verifying the integrity of the code.
CVSS: HIGH (8.8) EPSS Score: 0.01%
March 3rd, 2025 (4 months ago)
|