https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/13.0.2.md reports:
Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later.
The fluidsynth authors report:
A race condition during unloading of a DLS file can trigger a heap-based use-after-free. A concurrently running thread may be pending to unload a DLS file, leading to use of freed memory, if the synthesizer is being concurrently destroyed, or samples of the (unloaded) DLS file are concurrently used to synthesize audio. Realistically, both scenarios will result in a denial of service. In worst cases, it may result in arbitrary code execution in the context of an application using FluidSynth.
https://jira.mongodb.org/browse/SERVER-115508 reports:
Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client.
The traefik project reports:
There is a potential vulnerability in Traefik NGINX provider managing the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. The provider inverts the semantics of the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to "on" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected.
The traefik project reports:
There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path; if the request path contains an encoded restricted character from the following set ('/', '', 'Null', ';', '?', '#'), it is possible to target a backend, exposed using another router, by-passing the middlewares chain.
vulndb reports:
A vulnerability, which was classified as critical, was found in smb4k up to 4.0.4. Affected is some unknown functionality of the component Mount Helper. The manipulation with an unknown input leads to a access control vulnerability. CWE is classifying the issue as CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. This is going to have an impact on integrity, and availability. The advisory is available at seclists.org. The exploitability is told to be easy. Local access is required to approach this attack. The technical details are unknown and an exploit is not available.
https://bugzilla.mozilla.org/show_bug.cgi?id=2000597 reports:
Use-after-free in the Disability Access APIs component.
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1996570%2C1999700 reports:
Memory safety bugs present in Firefox 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
Chrome Releases reports:
This update includes 2 security fixes:
- [448294721] High CVE-2025-14765: Use after free in WebGPU. Reported by Anonymous on 2025-09-30
- [466786677] High CVE-2025-14766: Out of bounds read and write in V8. Reported by Shaheen Fazim on 2025-12-08
smallstep reports:
An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks.
The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement messages; the option body is passed to resolvconf(8) unmodified.
resolvconf(8) is a shell script which does not validate its input. A lack of quoting meant that shell commands pass as input to resolvconf(8) may be executed.
Systems running rtsol(8) or rtsold(8) are vulnerable to remote code execution from systems on the same network segment. In particular, router advertisement messages are not routable and should be dropped by routers, so the attack does not cross network boundaries.
In some cases, the `tcp-setmss` handler may free the packet data and throw an error without halting the rule processing engine. A subsequent rule can then allow the traffic after the packet data is gone, resulting in a NULL pointer dereference.
Maliciously crafted packets sent from a remote host may result in a Denial of Service (DoS) if the `tcp-setmss` directive is used and a subsequent rule would allow the traffic to pass.
The Roundcube project reports:
Cross-Site-Scripting vulnerability via SVG’s animate tag
Information Disclosure vulnerability in the HTML style sanitizer
https://nextjs.org/blog/security-update-2025-12-11 reports:
Description
(Medium) Source Code Exposure: CVE-2025-55183
A specifically crafted HTTP request can cause a Server Function to return the compiled source code of other Server Functions in your application. This could reveal business logic. Secrets could also be exposed if they are defined directly in your code (rather than accessed via environment variables at runtime) and referenced within a Server Function. Depending on your bundler configuration, these values may be inlined into the compiled function output.
(High) Denial of Service: CVE-2025-55184
A specifically crafted HTTP request can be sent to any App Router endpoint that, when deserialized, can cause an infinite loop that hangs the server process and prevents future HTTP requests from being served.
varnish developers report:
Common usage of vmod-digest is for basic HTTP authentication, in which case it may be possible for an attacker to circumvent the authentication check. If the decoded result string is somehow being made visible to the attacker (for example the result of the decoding is added to a response header), then there is the potential for information disclosure from reading out of band workspace data.
Jenkins Security Advisory:
Description
(High) SECURITY-3630 / CVE-2025-67635
Denial of service vulnerability in HTTP-based CLI
(Medium) SECURITY-1809 / CVE-2025-67636
Missing permission check on password fields
(Medium) SECURITY-783 / CVE-2025-67637 (storage), CVE-2025-67638 (masking)
Build authorization token stored and displayed in plain text
(Low) SECURITY-1166 / CVE-2025-67639
CSRF vulnerability on the login form
https://github.com/c-ares/c-ares/security/advisories/GHSA-jq53-42q6-pqr5 reports:
c-ares is an asynchronous resolver library. Versions 1.32.3 through 1.34.5 terminate a query after maximum attempts when using read_answer() and process_answer(), which can cause a Denial of Service. This issue is fixed in version 1.34.6.
Chrome Releases reports:
This update includes 3 security fixes:
- [466192044] High: Under coordination.
- [460599518] Medium CVE-2025-14372: Use after free in Password Manager. Reported by Weipeng Jiang (@Krace) of VRI on 2025-11-14
- [461532432] Medium CVE-2025-14373: Inappropriate implementation in Toolbar. Reported by Khalil Zhani on 2025-11-18
https://jira.mongodb.org/browse/SERVER-106075 reports:
A post-authenticationflaw in the network two-phase commit protocol used for cross-shard transactions in MongoDB Server may lead to logical data inconsistencies under specific conditions which are not predictable and exist for a very short period of time. This error can cause the transaction coordination logic to misinterpret the transaction as committed, resulting in inconsistent state on those shards. This may lead to low integrity and availability impact.
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1966501%2C1997639 reports:
Memory safety bugs. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1963153%2C1985058%2C1995637%2C1997118 reports:
Memory safety bugs. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
https://bugzilla.mozilla.org/show_bug.cgi?id=2000218 reports:
Same-origin policy bypass in the Request Handling component.
https://bugzilla.mozilla.org/show_bug.cgi?id=1997503 reports:
JIT miscompilation in the JavaScript Engine: JIT component.
https://bugzilla.mozilla.org/show_bug.cgi?id=1997018 reports:
Privilege escalation in the Netmonitor component.
https://bugzilla.mozilla.org/show_bug.cgi?id=1996761 reports:
Privilege escalation in the Netmonitor component.
https://bugzilla.mozilla.org/show_bug.cgi?id=1970743 reports:
Spoofing issue in the Downloads Panel component.
https://bugzilla.mozilla.org/show_bug.cgi?id=1840666 reports:
Use-after-free in the Audio/Video: GMP component.
https://bugzilla.mozilla.org/show_bug.cgi?id=1998050 reports:
JIT miscompilation in the JavaScript Engine: JIT component.
https://bugzilla.mozilla.org/show_bug.cgi?id=1996555 reports:
Privilege escalation in the DOM: Notifications component.
https://bugzilla.mozilla.org/show_bug.cgi?id=1996473 reports:
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component.
https://bugzilla.mozilla.org/show_bug.cgi?id=1992760 reports:
Use-after-free in the WebRTC: Signaling component.
Gitlab reports:
Cross-site scripting issue in Wiki impacts GitLab CE/EE
Improper encoding in vulnerability reports impacts GitLab CE/EE
Cross-site scripting issue in Swagger UI impacts GitLab CE/EE
Denial of service issue in GraphQL endpoints impacts GitLab CE/EE
Authentication bypass issue for WebAuthn users impacts GitLab CE/EE
Denial of service issue in ExifTool processing impacts GitLab CE/EE
Denial of service issue in Commit API impacts GitLab CE/EE
Information disclosure issue in compliance frameworks impacts GitLab EE
Information disclosure through error messages impacts GitLab CE/EE
HTML injection issue in merge request titles impacts GitLab CE/EE
Hugo van Kemenade reports:
Python 3.14.2 and 3.13.11 are now available [... and] come with some bonus security fixes.
- gh-142145: Remove quadratic behavior in node ID cache clearing (CVE-2025-12084)
- gh-119451: Fix a potential denial of service in http.client [only in 3.13; CVE-2025-13836]
- gh-119452: Fix a potential virtual memory allocation denial of service in http.server [affects platforms without fork()]
Chrome Releases reports:
This update includes 13 security fixes:
- [456547591] High CVE-2025-13630: Type Confusion in V8. Reported by Shreyas Penkar (@streypaws) on 2025-10-31
- [448113221] High CVE-2025-13631: Inappropriate implementation in Google Updater. Reported by Jota Domingos on 2025-09-29
- [439058242] High CVE-2025-13632: Inappropriate implementation in DevTools. Reported by Leandro Teles on 2025-08-16
- [458082926] High CVE-2025-13633: Use after free in Digital Credentials. Reported by Chrome on 2025-11-05
- [429140219] Medium CVE-2025-13634: Inappropriate implementation in Downloads. Reported by Eric Lawrence of Microsoft on 2025-07-02
- [457818670] Medium CVE-2025-13720: Bad cast in Loader. Reported by Chrome on 2025-11-04
- [355120682] Medium CVE-2025-13721: Race in v8. Reported by Chrome on 2024-07-23
- [405727341] Low CVE-2025-13635: Inappropriate implementation in Downloads. Reported by Hafiizh on 2025-03-24
- [446181124] Low CVE-2025-13636: Inappropriate implementation in Split View. Reported by Khalil Zhani on 2025-09-20
- [392375329] Low CVE-2025-13637: Inappropriate implementation in Downloads. Reported by Hafiizh on 2025-01-27
- [448046109] Low CVE-2025-13638: Use after free in Media Stream. Reported by sherkito on 2025-09-29
- [448408148] Low CVE-2025-13639: Inappropriate implementation in WebRTC. Reported by Philipp Hancke on 2025-10-01
- [452071826] Low CVE-2025-13640: Inappropriate implementation in Passwords. Reported by Anonymous on 2025-10-14
https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm reports:
Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication. This issue has been patched in version 2.25.2.
X.Org reports:
Multiple issues have been found in xkbcomp that have been previously been published as CVEs in libxbkcommon. libxkbcommon is (to some degree) a fork of xkbcomp and some of the code base is identical. These CVEs were published earlier as:
- CVE-2018-15853: Endless recursion in xkbcomp/expr.c resulting in a crash
- CVE-2018-15859: NULL pointer dereference when parsing invalid atoms in ExprResolveLhs resulting in a crash
- CVE-2018-15861: NULL pointer dereference in ExprResolveLhs resulting in a crash
- CVE-2018-15863: NULL pointer dereference in ResolveStateAndPredicate resulting in a crash
https://github.com/pnggroup/libpng/security/advisories/GHSA-9mpm-9pxh-mg4f reports:
Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management.
The libvirt project reports:
See changelog for details.
The Apache httpd project reports:
See changelog or 2.4 vulnerabilities for details.
The Go project reports:
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out.
Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
https://jira.mongodb.org/browse/SERVER-103582 reports:
A user with access to the cluster with a limited set of privilege actions may be able to terminate queries that are being executed by other users. This may cause a denial of service by preventing a fraction of queries from successfully completing.
https://jira.mongodb.org/browse/SERVER-108565 reports:
Inconsistent object size validation in time series processing logic may result in later processing of oversized BSON documents leading to an assert failing and process termination.
https://jira.mongodb.org/browse/SERVER-101180 reports:
MongoDB Server may experience an invariant failure during batched delete operations when handling documents. The issue arises when the server mistakenly assumes the presence of multiple documents in a batch based solely on document size exceeding BSONObjMaxSize.
wolfSSL blog reports:
This release includes multiple fixes across TLS 1.2, TLS 1.3, X25519, XChaCha20-Poly1305, and PSK processing. Highlights include:
- A timing-side-channel issue in X25519 specifically affecting Xtensa-based ESP32 devices. Low-memory X25519 implementations are now the default for Xtensa.
- A medium-severity TLS 1.3 server-side DoS risk from repeated KeyShareEntry values in malicious ClientHello messages.
- Several TLS 1.3 downgrade-related issues (PFS downgrades, signature algorithm downgrades, and duplicate extension parsing).
- A memory leak risk in TLS 1.2 certificate digest handling.
- XChaCha20-Poly1305 decryption bounds-check fix and constant-time improvements in PSK binder verification.
https://jira.mongodb.org/browse/SERVER-105783 reports:
Clients may successfully perform a TLS handshake with a MongoDB server despite presenting a client certificate not aligning with the documented Extended Key Usage (EKU) requirements. A certificate that specifies extendedKeyUsage but is missing extendedKeyUsage = clientAuth may still be successfully authenticated via the TLS handshake as a client. This issue is specific to MongoDB servers running on Windows or Apple as the expected validation behavior functions correctly on Linux systems. Additionally, MongoDB servers may successfully establish egress TLS connections with servers that present server certificates not aligning with the documented Extended Key Usage (EKU) requirements. A certificate that specifies extendedKeyUsage but is missing extendedKeyUsage = serverAuth may still be successfully authenticated via the TLS handshake as a server. This issue is specific to MongoDB servers running on Apple as the expected validation behavior functions correctly on both Linux and Windows systems.
https://github.com/pnggroup/libpng/security/advisories/GHSA-7wv6-48j4-hj3g reports:
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files.
- From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.
- From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component alpha 257 required by the simplified PNG API.
- From version 1.6.0 to before 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_write_image_8bit function when processing 8-bit images through the simplified write API with convert_to_8bit enabled. The vulnerability affects 8-bit grayscale+alpha, RGB/RGBA, and images with incomplete row data. A conditional guard incorrectly allows 8-bit input to enter code expecting 16-bit input, causing reads up to 2 bytes beyond allocated buffer boundaries.
- Prior to version 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_do_quantize function when processing PNG files with malformed palette indices. The vulnerability occurs when palette_lookup array bounds are not validated against externally-supplied image data, allowing an attacker to craft a PNG file with out-of-range palette indices that trigger out-of-bounds memory access.
Gitlab reports:
Race condition issue in CI/CD cache impacts GitLab CE/EE
Denial of Service issue in JSON input validation middleware impacts GitLab CE/EE
Authentication bypass issue in account registration impacts GitLab CE/EE
Denial of Service issue in HTTP response processing impacts GitLab CE/EE
Improper authorization issue in markdown rendering impacts GitLab EE
Information disclosure issue in terraform registry impacts GitLab CE/EE
GnuTLS reports:
When a PKCS#11 token is initialized with gnutls_pkcs11_token_init function and it is passed a token label longer than 32 characters, it may write past the boundary of stack allocated memory.
Chrome Releases reports:
This update includes 2 security fixes:
- [460017370] High CVE-2025-13223: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group on 2025-11-12
- [450328966] High CVE-2025-13224: Type Confusion in V8. Reported by Google Big Sleep on 2025-10-09
Alon Bar-Lev reports:
util: fix deserialize buffer overflow. thanks to Aarnav Bos.
Mikhail Khachaiants reports:
socket: reject mismatched address family in get_addr_generic.
Add a family check to prevent copying address data of the wrong type, which could cause buffer over-read when parsing routes or endpoints.
Arne Schwabe reports:
Fix memcmp check for the hmac verification in the 3way handshake being inverted This is a stupid mistake but causes all hmac cookies to be accepted, thus breaking source IP address validation. As a consequence, TLS sessions can be openend and state can be consumed in the server from IP addresses that did not initiate an initial connection.
While at it, fix check to only allow [t-2;t] timeslots, disallowing HMACs coming in from a future timeslot.
Pieter Marsman reports:
pdfminer.six will execute arbitrary code from a malicious pickle file if provided with a malicious PDF file. The CMapDB._load_data() function in pdfminer.six uses pickle.loads() to deserialize pickle files. These pickle files are supposed to be part of the pdfminer.six distribution stored in the cmap/ directory, but a malicious PDF can specify an alternative directory and filename as long as the filename ends in .pickle.gz. A malicious, zipped pickle file can then contain code which will automatically execute when the PDF is processed.
Trifecta Tech Foundation reports:
With Defaults targetpw (or Defaults rootpw) enabled, the password of the target account (or root account) instead of the invoking user is used for authentication. sudo-rs prior to 0.2.10 incorrectly recorded the invoking user’s UID instead of the authenticated-as user's UID in the authentication timestamp. Any later sudo invocation on the same terminal while the timestamp was still valid would use that timestamp, potentially bypassing new authentication even if the policy would have required it.
Trifecta Tech Foundation reports:
When typing partial passwords but not pressing return for a long time, a password timeout can occur. When this happens, the keys pressed are replayed onto the console.
https://www.postgresql.org/support/security/CVE-2025-12818/ reports:
- Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq.
- Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail.
SUSE Security Team reports:
A Execution with Unnecessary Privileges vulnerability in lightdm-kde-greeter allows escalation from the service user to root. This issue affects lightdm-kde-greeter before 6.0.4.
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1987237%2C1990079%2C1991715%2C1994994 reports:
Memory safety bugs. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
https://bugzilla.mozilla.org/show_bug.cgi?id=1994441 reports:
- Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component.
- Incorrect boundary conditions in the Graphics: WebGPU component.
- JIT miscompilation in the JavaScript Engine: JIT component.
- Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component.
- Incorrect boundary conditions in the Graphics: WebGPU component.
- Incorrect boundary conditions in the Graphics: WebGPU component.
https://bugzilla.mozilla.org/show_bug.cgi?id=1995686 reports:
- Use-after-free in the WebRTC: Audio/Video component.
- Same-origin policy bypass in the DOM: Workers component.
- Mitigation bypass in the DOM: Security component.
- Same-origin policy bypass in the DOM: Notifications component.
- Incorrect boundary conditions in the JavaScript: WebAssembly component.
- Spoofing issue in Firefox.
- Use-after-free in the Audio/Video component.
- Mitigation bypass in the DOM: Core and HTML component.
- Race condition in the Graphics component.
Gitlab reports:
Cross-site scripting issue in k8s proxy impacts GitLab CE/EE
Incorrect Authorization issue in workflows impacts GitLab EE
Information Disclosure issue in GraphQL subscriptions impacts GitLab CE/EE
Information Disclosure issue in access control impacts GitLab CE/EE
Prompt Injection issue in GitLab Duo review impacts GitLab EE
Client Side Path Traversal issue in branch names impacts GitLab EE
Information Disclosure issue in packages API endpoint impacts GitLab CE/EE
Improper Access Control issue in GitLab Pages impacts GitLab CE/EE
Denial of service issue in markdown impacts GitLab CE/EE
privatebin reports:
Dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper, so any user who drops a crafted file on PrivateBin will execute arbitrary JavaScript within their own session (self-XSS). This allows an attacker who can entice a victim to drag or otherwise attach such a file to exfiltrate plaintext, encryption keys, or stored pastes before they are encrypted or sent.
Chrome Releases reports:
This update includes 1 security fix:
- [457351015] High CVE-2025-13042: Inappropriate implementation in V8. Reported by 303f06e3 on 2025-11-03
Chrome Releases reports:
This update includes 5 security fixes:
- [443906252] High CVE-2025-12725: Out of bounds write in WebGPU. Reported by Anonymous on 2025-09-09
- [447172715] High CVE-2025-12726: Inappropriate implementation in Views. Reported by Alesandro Ortiz on 2025-09-25
- [454485895] High CVE-2025-12727: Inappropriate implementation in V8. Reported by 303f06e3 on 2025-10-23
- [452392032] Medium CVE-2025-12728: Inappropriate implementation in Omnibox. Reported by Hafiizh on 2025-10-16
- [454354281] Medium CVE-2025-12729: Inappropriate implementation in Omnibox. Reported by Khalil Zhani on 2025-10-23
Aous Naman reports several vulnerabilities fixed in OpenJPH versions up to 0.24.5 and credits Cary Phillips for reporting them from the OSS-fuzz project.
[0.24.5] Addresses OpenEXR OSS-fuzz issue 5747129672073216 that can cause heap corruption.
[0.24.4...] we now check that the ATK marker segment length (Latk) makes sense. The issue was identified in OpenEXR fuzzing.
[0.24.3] This is an important bug fix. It protects against illegally long QCD and QCC marker segments. It was discovered during OpenEXR fussing; thanx to [Cary Phillips].
Cary Phillips reports:
Patch release that addresses several bugs, primarily involving properly rejecting corrupt input data.
He goes on to report various relevant items including heap buffer overflows, use-after-free, use of uninitialized memory and other bugs, several of them found by OSS-fuzz, and some also found in OpenJPH.
https://jira.mongodb.org/browse/SERVER-101230 reports:
The KMIP response parser built into mongo binaries is overly tolerant of certain malformed packets, and may parse them into invalid objects. Later reads of this object can result in read access violations.
https://access.redhat.com/errata/RHSA-2025:19432 reports:
CVE-2025-62229: A flaw was found in the X.Org X server and Xwayland when processing X11 Present extension notifications. Improper error handling during notification creation can leave dangling pointers that lead to a use-after-free condition. This can cause memory corruption or a crash, potentially allowing an attacker to execute arbitrary code or cause a denial of service.
CVE-2025-62230: A flaw was discovered in the X.Org X servers X Keyboard (Xkb) extension when handling client resource cleanup. The software frees certain data structures without properly detaching related resources, leading to a use-after-free condition. This can cause memory corruption or a crash when affected clients disconnect.
CVE-2025-62231: A flaw was identified in the X.Org X servers X Keyboard (Xkb) extension where improper bounds checking in the XkbSetCompatMap() function can cause an unsigned short overflow. If an attacker sends specially crafted input data, the value calculation may overflow, leading to memory corruption or a crash.
Google Big Sleep reports:
A user can run the XACKDEL command with multiple ID's and trigger a stack buffer overflow, which may potentially lead to remote code execution. The problem exists in Redis 8.2 or newer. The code doesn't handle the case where the number of ID's exceeds the STREAMID_STATIC_VECTOR_LEN, and skips a reallocation, which leads to a stack buffer overflow. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing XACKDEL operation. This can be done using ACL to restrict XACKDEL command.
https://bugzilla.mozilla.org/show_bug.cgi?id=1975837 reports:
Denial-of-service due to out-of-memory in the Graphics: WebRender component.
https://bugzilla.mozilla.org/show_bug.cgi?id=1979782 reports:
Same-origin policy bypass in the Graphics: Canvas2D component.
https://bugzilla.mozilla.org/show_bug.cgi?id=1987246 reports:
Sandbox escape due to integer overflow in the Graphics: Canvas2D component.
https://bugzilla.mozilla.org/show_bug.cgi?id=1981502 reports:
Information disclosure in the Networking: Cache component.
https://bugzilla.mozilla.org/show_bug.cgi?id=1665334 reports:
Spoofing issue in the Site Permissions component.
https://bugzilla.mozilla.org/show_bug.cgi?id=1980788 reports:
Integer overflow in the SVG component.
https://bugzilla.mozilla.org/show_bug.cgi?id=1979502 reports:
Incorrect boundary conditions in the JavaScript: GC component.
https://bugzilla.mozilla.org/show_bug.cgi?id=1978453 reports:
Mitigation bypass in the Web Compatibility: Tooling component.
https://bugzilla.mozilla.org/show_bug.cgi?id=1970490 reports:
Same-origin policy bypass in the Layout component.
https://bugzilla.mozilla.org/show_bug.cgi?id=1986185 reports:
Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component.
https://bugzilla.mozilla.org/show_bug.cgi?id=1984825 reports:
Sandbox escape due to use-after-free in the Graphics: Canvas2D component.
Unsupported versions: [...] End of life: 2025-10-31.
PowerDNS Team reports:
It has been brought to our attention that the Recursor does not apply strict enough validation of received delegation information. The malicious delegation information can be sent by an attacker spoofing packets.
Chrome Releases reports:
This update includes 20 security fixes:
- [447613211] High CVE-2025-12428: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2025-09-26
- [450618029] High CVE-2025-12429: Inappropriate implementation in V8. Reported by Aorui Zhang on 2025-10-10
- [442860743] High CVE-2025-12430: Object lifecycle issue in Media. Reported by round.about on 2025-09-04
- [436887350] High CVE-2025-12431: Inappropriate implementation in Extensions. Reported by Alesandro Ortiz on 2025-08-06
- [439522866] High CVE-2025-12432: Race in V8. Reported by Google Big Sleep on 2025-08-18
- [449760249] High CVE-2025-12433: Inappropriate implementation in V8. Reported by Google Big Sleep on 2025-10-07
- [452296415] High CVE-2025-12036: Inappropriate implementation in V8. Reported by Google Big Sleep on 2025-10-15
- [337356054] Medium CVE-2025-12434: Race in Storage. Reported by Lijo A.T on 2024-04-27
- [446463993] Medium CVE-2025-12435: Incorrect security UI in Omnibox. Reported by Hafiizh on 2025-09-21
- [40054742] Medium CVE-2025-12436: Policy bypass in Extensions. Reported by Luan Herrera (@lbherrera_) on 2021-02-08
- [446294487] Medium CVE-2025-12437: Use after free in PageInfo. Reported by Umar Farooq on 2025-09-20
- [433027577] Medium CVE-2025-12438: Use after free in Ozone. Reported by Wei Yuan of MoyunSec VLab on 2025-07-20
- [382234536] Medium CVE-2025-12439: Inappropriate implementation in App-Bound Encryption. Reported by Ari Novick on 2024-12-04
- [430555440] Low CVE-2025-12440: Inappropriate implementation in Autofill. Reported by Khalil Zhani on 2025-07-09
- [444049512] Medium CVE-2025-12441: Out of bounds read in V8. Reported by Google Big Sleep on 2025-09-10
- [452071845] Medium CVE-2025-12443: Out of bounds read in WebXR. Reported by Aisle Research on 2025-10-15
- [390571618] Low CVE-2025-12444: Incorrect security UI in Fullscreen UI. Reported by syrf on 2025-01-18
- [428397712] Low CVE-2025-12445: Policy bypass in Extensions. Reported by Thomas Greiner on 2025-06-29
- [444932667] Low CVE-2025-12446: Incorrect security UI in SplitView. Reported by Hafiizh on 2025-09-14
- [442636157] Low CVE-2025-12447: Incorrect security UI in Omnibox. Reported by Khalil Zhani on 2025-09-03
https://bugzilla.mozilla.org/show_bug.cgi?id=1993113 reports:
Starting with Firefox 142, it was possible for a compromised child process to trigger a use-after-free in the GPU or browser process using WebGPU-related IPC calls. This may have been usable to escape the child process sandbox.
https://github.com/erlang/otp/security/advisories/GHSA-9g37-pgj9-wrhc reports:
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2unless the memory option is passed. This issue affects OTP from OTP 17.0 until OTP28.0.1, OTP27.3.4.1 and OTP26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.
Internet Systems Consortium, Inc. reports:
To trigger the issue, three configuration parameters must have specific settings: "hostname-char-set" must be left at the default setting, which is "[^A-Za-z0-9.-]"; "hostname-char-replacement" must be empty (the default); and "ddns-qualifying-suffix" must NOT be empty (the default is empty). DDNS updates do not need to be enabled for this issue to manifest. A client that sends certain option content would then cause kea-dhcp4 to exit unexpectedly. This addresses CVE-2025-11232 [#4142, #4155].
https://github.com/google/security-research/security/advisories/GHSA-v2c8-vqqp-hv3g reports:
An integer overflow exists in the FTS5 https://sqlite.org/fts5.html extension. It occurs when the size of an array of tombstone pointers is calculated and truncated into a 32-bit integer. A pointer to partially controlled data can then be written out of bounds.
The FreeBSD build enables the FTS5 extension by default.
Michal Čihař reports:
Upon authentication, the user could be associated by e-mail even if the associate_by_email pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses.
http://sqlite3.com reports:
Integer Overflow vulnerability in SQLite SQLite3 v.3.50.0 allows a remote attacker to cause a denial of service via the setupLookaside function
PrivateBin reports:
We've identified an HTML injection/XSS vulnerability in the PrivateBin service that allows the injection of arbitrary HTML markup via the attached filename.
Xu Biang reports:
The eap-mschapv2 plugin doesn't correctly check the length of an EAP-MSCHAPv2 Failure Request packet on the client, which can cause an integer underflow that leads to a crash and, depending on the compiler options, even a heap-based buffer overflow that's potentially exploitable for remote code execution. Affected are all strongSwan versions since 4.2.12.
Chrome Releases reports:
This update includes 1 security fix:
- [452296415] High CVE-2025-12036: Inappropriate implementation in V8. Reported by Google Big Sleep on 2025-10-15
sep@nlnetlabs.nl reports:
NLnet Labs Unbound up to and including version 1.24.0 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver's knowledge of the zone's name servers. A malicious actor can exploit the possible poisonous effect by injecting NS RRSets (and possibly their respective address records) in a reply. This could be done for example by trying to spoof a packet or fragmentation attacks. Unbound would then proceed to update the NS RRSet data it already has since the new data has enough trust for it, i.e., in-zone data for the delegation point. Unbound 1.24.1 includes a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect.
Mateusz Szymaniec and CERT Polska Reports:
RT is vulnerable to XSS via calendar invitations added to a ticket. Thanks to Mateusz Szymaniec and CERT Polska for reporting this finding.
Gareth Watkin-Jones from 4armed reports:
RT is vulnerable to CSV injection via ticket values with special characters that are exported to a TSV from search results. Thanks to Gareth Watkin-Jones from 4armed for reporting this finding.
Connected sockets are not intended to belong to load-balancing groups. However, the kernel failed to check the connection state of sockets when adding them to load-balancing groups. Furthermore, when looking up the destination socket for an incoming packet, the kernel will match a socket belonging to a load-balancing group even if it is connected.
Connected sockets are only supposed to receive packets originating from the connected host. The above behavior violates this contract.
Software which sets SO_REUSEPORT_LB on a socket and then connects it to a host will not observe any problems. However, due to its membership in a load-balancing group, that socket will receive packets originating from any host. This breaks the contract of the connect(2) and implied connect via sendto(2), and may leave the application vulnerable to spoofing attacks.
Gitlab reports:
Improper access control issue in runner API impacts GitLab EE
Denial of service issue in event collection impacts GitLab CE/EE
Denial of service issue in JSON validation impacts GitLab CE/EE
Denial of service issue in upload impacts GitLab CE/EE
Incorrect Authorization issue in pipeline builds impacts GitLab CE
Business logic error issue in group memberships impacts GitLab EE
Missing authorization issue in quick actions impacts GitLab EE
Chrome Releases reports:
This update includes 1 security fix:
- [447192722] High CVE-2025-11756: Use after free in Safe Browsing. Reported by asnine on 2025-09-25
Chrome Releases reports:
This update includes 3 security fixes:
- [443196747] High CVE-2025-11458: Heap buffer overflow in Sync. Reported by raven at KunLun lab on 2025-09-05
- [446722008] High CVE-2025-11460: Use after free in Storage. Reported by Sombra on 2025-09-23
- [441917796] Medium CVE-2025-11211: Out of bounds read in WebCodecs. Reported by Jakob Košir on 2025-08-29
cna@mongodb.com reports:
An authorized user may crash the MongoDB server by causing buffer over-read. This can be done by issuing a DDL operation while queries are being issued, under some conditions.
Icinga reports:
An authorized user with access to Icinga DB Web, can use a custom variable in a filter that is either protected by icingadb/protect/variables or hidden by icingadb/denylist/variables, to guess values assigned to it.
security@mozilla.org reports:
A malicious page could have used the type attribute of an OBJECT tag to override the default browser behavior when encountering a web resource served without a content-type. This could have contributed to an XSS on a site that unsafely serves files without a content-type header.
security@mozilla.org reports:
There was a way to change the value of JavaScript Object properties that were supposed to be non-writeable.
security@mozilla.org reports:
A compromised web process using malicious IPC messages could have caused the privileged browser process to reveal blocks of its memory to the compromised process.
security@mozilla.org reports:
A compromised web process was able to trigger out of bounds reads and writes in a more privileged process using manipulated WebGL textures.
security@mozilla.org reports:
Use-after-free in MediaTrackGraphImpl::GetInstance()
security@mozilla.org reports:
Memory safety bugs. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
Memory safety bugs. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
Memory safety bug. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code.
security@mozilla.org reports:
Sandbox excape due to integer overflow in the Graphics: Canvas2D component
security@mozilla.org reports:
Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3.
security@mozilla.org reports:
Spoofing issue in the Site Permission component
security@mozilla.org reports:
Integer overflow in the SVG component
mino reports:
A privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session policies to bypass their inline policy restrictions when performing "own" account operations, specifically when creating new service accounts for the same user.
Tim Wojtulewicz of Corelight reports:
The KRB analyzer can leak information about hosts in analyzed traffic via external DNS lookups.
security@mozilla.org reports:
JIT miscompilation in the JavaScript Engine: JIT component.
Gitlab reports:
Incorrect authorization issue in GraphQL mutations impacts GitLab EE
Denial of Service issue in GraphQL blob type impacts GitLab CE/EE
Missing authorization issue in manual jobs impacts GitLab CE/EE
Denial of Service issue in webhook endpoints impacts GitLab CE/EE
Ralph Slooten (Mailpit developer) reports:
An HTTP endpoint was found which exposed expvar runtime information (memory usage, goroutine counts, GC behavior, uptime and potential runtime flags) due to the Prometheus client library dependency.
security@mozilla.org reports:
The vulnerability has been assessed to have moderate impact on affected systems, potentially allowing attackers to exploit incorrect boundary conditions in the JavaScript Garbage Collection component. In Thunderbird specifically, these flaws cannot be exploited through email as scripting is disabled when reading mail, but remain potential risks in browser or browser-like contexts
security@mozilla.org reports:
The vulnerability has been rated as having moderate impact, affecting both confidentiality and integrity with low severity, while having no impact on availability. For Thunderbird specifically, the vulnerability cannot be exploited through email as scripting is disabled when reading mail, but remains a potential risk in browser or browser-like contexts
security@mozilla.org reports:
Sandbox escape due to use-after-free
cna@mongodb.com reports:
An authorized user can cause a crash in the MongoDB Server through a specially crafted $group query. This vulnerability is related to the incorrect handling of certain accumulator functions when additional parameters are specified within the $group operation. This vulnerability could lead to denial of service if triggered repeatedly.
cna@mongodb.com reports:
MongoDB Server may allow upsert operations retried within a transaction to violate unique index constraints, potentially causing an invariant failure and server crash during commit. This issue may be triggered by improper WriteUnitOfWork state management.
cna@mongodb.com reports:
An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable.
cna@mongodb.com reports:
MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage.
redis reports:
An authenticated user may use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
redis reports:
An authenticated user may use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user The problem exists in all versions of Redis with Lua scripting. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
redis reports:
An authenticated user may use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
redis reports:
An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Qt qtwebengine-chromium repo reports:
Backports for 9 security bugs in Chromium:
- CVE-2025-9866: Determine whether to bypass redirect checks per request
- CVE-2025-10200: Use after free in Serviceworker
- CVE-2025-10201: Inappropriate implementation in Mojo
- CVE-2025-10500: Use after free in Dawn
- CVE-2025-10501: Use after free in WebRTC
- CVE-2025-10502: Heap buffer overflow in ANGLE
- CVE-2025-10890: Side-channel information leakage in V8 (1/2)
- CVE-2025-10891: Integer overflow in V8
- CVE-2025-10892: Integer overflow in V8
Matthias Andree reports:
fetchmail's SMTP client, when configured to authenticate, is susceptible to a protocol violation where, when a trusted but malicious or malfunctioning SMTP server responds to an authentication request with a "334" code but without a following blank on the line, it will attempt to start reading from memory address 0x1 to parse the server's SASL challenge. This address is constant and not under the attacker's control. This event will usually cause a crash of fetchmail.
Chrome Releases reports:
This update includes 21 security fixes:
- [442444724] High CVE-2025-11205: Heap buffer overflow in WebGPU. Reported by Atte Kettunen of OUSPG on 2025-09-02
- [444755026] High CVE-2025-11206: Heap buffer overflow in Video. Reported by Elias Hohl on 2025-09-12
- [428189824] Medium CVE-2025-11207: Side-channel information leakage in Storage. Reported by Alesandro Ortiz on 2025-06-27
- [397878997] Medium CVE-2025-11208: Inappropriate implementation in Media. Reported by Kevin Joensen on 2025-02-20
- [438226517] Medium CVE-2025-11209: Inappropriate implementation in Omnibox. Reported by Hafiizh on 2025-08-13
- [440523110] Medium CVE-2025-11210: Side-channel information leakage in Tab. Reported by Umar Farooq on 2025-08-22
- [441917796] Medium CVE-2025-11211: Out of bounds read in Media. Reported by Kosir Jakob on 2025-08-29
- [420734141] Medium CVE-2025-11212: Inappropriate implementation in Media. Reported by Ameen Basha M K on 2025-05-28
- [443408317] Medium CVE-2025-11213: Inappropriate implementation in Omnibox. Reported by Hafiizh on 2025-09-06
- [439758498] Medium CVE-2025-11215: Off by one error in V8. Reported by Google Big Sleep on 2025-08-19
- [419721056] Low CVE-2025-11216: Inappropriate implementation in Storage. Reported by Farras Givari on 2025-05-23
- [439772737] Low CVE-2025-11219: Use after free in V8. Reported by Google Big Sleep on 2025-08-19
Django reports:
CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB.
CVE-2025-59682: Potential partial directory-traversal via archive.extract().
Oracle reports:
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/Python). Supported versions that are affected are 9.1.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 6.4 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:H).
The OpenSSL project reports reports:
Out-of-bounds read & write in RFC 3211 KEK Unwrap
Timing side-channel in SM2 algorithm on 64-bit ARM
Fix Out-of-bounds read in HTTP client no_proxy handling
The LibreSSL project reports:
An incorrect length check can result in a 4-byte overwrite and an 8-byte overread.
cve@mitre.org reports:
GoldenDict 1.5.0 and 1.5.1 has an exposed dangerous method that allows reading and modifying files when a user adds a crafted dictionary and then searches for any term included in that dictionary.
secalert@redhat.com reports:
A flaw was found in the Udisks daemon, where it allows unprivileged users to create loop devices using the D-BUS system. This is achieved via the loop device handler, which handles requests sent through the D-BUS interface. As two of the parameters of this handle, it receives the file descriptor list and index specifying the file where the loop device should be backed. The function itself validates the index value to ensure it isn't bigger than the maximum value allowed. However, it fails to validate the lower bound, allowing the index parameter to be a negative value. Under these circumstances, an attacker can cause the UDisks daemon to crash or perform a local privilege escalation by gaining access to files owned by privileged users.
Quiche Releases reports:
This update includes 1 security fix:
- High CVE-2025-7054: Infinite loop triggered by connection ID retirement. Reported by Catena cyber on 2025-08-07.
Quiche Releases reports:
This update includes 2 security fixes:
- Medium CVE-2025-4820: Incorrect congestion window growth by optimistic ACK. Reported by Louis Navarre on 2025-06-18.
- High CVE-2025-4821: Incorrect congestion window growth by invalid ACK ranges. Reported by Louis Navarre on 2025-06-18.
Gitlab reports:
Denial of Service issue when uploading specifically crafted JSON files impacts GitLab CE/EE
Denial of Service issue bypassing query complexity limits impacts GitLab CE/EE
Information disclosure issue in virtual registery configuration for low privileged users impacts GitLab CE/EE
Privilege Escalation issue from within the Developer role impacts GitLab EE
Denial of Service issue in GraphQL API via Unbounded Array Parameters impacts GitLab CE/EE
Improper Authorization issue for Project Maintainers when assigning roles impacts GitLab EE
Denial of Service issue in GraphQL API blobSearch impacts GitLab CE/EE
Incorrect ownership assignment via Move Issue drop-down impacts GitLab CE/EE
Denial of Service issue via string conversion methods impacts GitLab CE/EE
Gert Doering reports:
Notable changes beta1 -> beta2 are: [...] add proper input sanitation to DNS strings to prevent an attack coming from a trusted-but-malicous OpenVPN server (CVE: 2025-10680, affects unixoid systems with --dns-updown scripts and windows using the built-in powershell call)
Lev Stipakov writes:
On Linux (and similar platforms), those options are written to a tmp file, which is later sourced by a script running as root. Since options are controlled by the server, it is possible for a malicious server to execute script injection attack [...].
The original report is credited to Stanislav Fort <disclosure@aisle.com>.
security@open-xchange.com reports:
In some circumstances, when DNSdist is configured to use the nghttp2 library to process incoming DNS over HTTPS queries, an attacker might be able to cause a denial of service by crafting a DoH exchange that triggers an unbounded I/O read loop, causing an unexpected consumption of CPU resources. The offending code was introduced in DNSdist 1.9.0-alpha1 so previous versions are not affected.
Chrome Releases reports:
This update includes 4 security fixes:
- [430336833] High CVE-2025-10890: Side-channel information leakage in V8. Reported by Mate Marjanović (SharpEdged) on 2025-07-09
- [443765373] High CVE-2025-10891: Integer overflow in V8. Reported by Google Big Sleep on 2025-09-09
- [444048019] High CVE-2025-10892: Integer overflow in V8. Reported by Google Big Sleep on 2025-09-10
Chrome Releases reports:
This update includes 4 security fixes:
- [445380761] High CVE-2025-10585: Type Confusion in V8. Reported by Google Threat Analysis Group on 2025-09-16
- [435875050] High CVE-2025-10500: Use after free in Dawn. Reported by Giunash (Gyujeong Jin) on 2025-08-03
- [440737137] High CVE-2025-10501: Use after free in WebRTC. Reported by sherkito on 2025-08-23
- [438038775] High CVE-2025-10502: Heap buffer overflow in ANGLE. Reported by Google Big Sleep on 2025-08-12
security-advisories@github.com reports:
The PCRE2 library is a set of C functions that implement regular expression pattern matching. In version 10.45, a heap-buffer-overflow read vulnerability exists in the PCRE2 regular expression matching engine, specifically within the handling of the (*scs:...) (Scan SubString) verb when combined with (*ACCEPT) in src/pcre2_match.c. This vulnerability may potentially lead to information disclosure if the out-of-bounds data read during the memcmp affects the final match result in a way observable by the attacker.
expat security advisory:
libexpat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.
Jenkins Security Advisory:
Description
(High) SECURITY-3618 / CVE-2025-5115
HTTP/2 denial of service vulnerability in bundled Jetty
(Medium) SECURITY-3594 / CVE-2025-59474
Missing permission check allows obtaining agent names
(Medium) SECURITY-3625 / CVE-2025-59475
Missing permission check in authenticated users' profile menu
(Medium) SECURITY-3424 / CVE-2025-59476
Log message injection vulnerability
F5 reports:
When NGINX Unit with the Java Language Module is in use, undisclosed requests can lead to an infinite loop and cause an increase in CPU resource utilization.
OpenPrinting reports:
When the AuthType is set to anything but Basic, if the request contains an Authorization: Basic ... header, the password is not checked.
An unsafe deserialization and validation of printer attributes, causes null dereference in libcups library.
Chrome Releases reports:
This update includes 2 security fixes:
- [440454442] Critical CVE-2025-10200: Use after free in Serviceworker. Reported by Looben Yang on 2025-08-22
- [439305148] High CVE-2025-10201: Inappropriate implementation in Mojo. Reported by Sahan Fernando & Anon on 2025-08-18
Gitlab reports:
Denial of Service issue in SAML Responses impacts GitLab CE/EE
Server-Side Request Forgery issue in Webhook custom header impacts GitLab CE/EE
Denial of Service issue in User-Controllable Fields impacts GitLab CE/EE
Denial of Service issue in endpoint file upload impacts GitLab CE/EE
Denial of Service issue in token listing operations impacts GitLab CE/EE
Information disclosure issue in runner endpoints impacts GitLab CE/EE
Chrome Releases reports:
This update includes 6 security fixes:
- [434513380] High CVE-2025-9864: Use after free in V8. Reported by Pavel Kuzmin of Yandex Security Team on 2025-07-28
- [437147699] Medium CVE-2025-9865: Inappropriate implementation in Toolbar. Reported by Khalil Zhani on 2025-08-07
- [379337758] Medium CVE-2025-9866: Inappropriate implementation in Extensions. Reported by NDevTK on 2024-11-16
- [415496161] Medium CVE-2025-9867: Inappropriate implementation in Downloads. Reported by Farras Givari on 2025-05-04
Kevin Backhouse reports:
A denial-of-service was found in Exiv2 version v0.28.5: a quadratic algorithm in the ICC profile parsing code in jpegBase::readMetadata() can cause Exiv2 to run for a long time. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The denial-of-service is triggered when Exiv2 is used to read the metadata of a crafted jpg image file.
Kevin Backhouse reports:
An out-of-bounds read was found in Exiv2 versions v0.28.5 and earlier. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file.
Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as delete.
Django reports:
CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases.
Internet2 reports:
The Shibboleth Service Provider includes a storage API usable for a number of different use cases such as the session cache, replay cache, and relay state management. An ODBC extension plugin is provided with some distributions of the software (notably on Windows).
A SQL injection vulnerability was identified in some of the queries issued by the plugin, and this can be creatively exploited through specially crafted inputs to exfiltrate information stored in the database used by the SP.
Zhengyu Liu, Jianjia Yu, Jelmer van Arnhem report:
We discovered a remote code execution (RCE) vulnerability in the latest release of the Vieb browser (v12.3.0). By luring a user to visit a malicious website, an attacker can achieve arbitrary code execution on the victim’s machine.
Gitlab reports:
Allocation of Resources Without Limits issue in import function impacts GitLab CE/EE
Missing authentication issue in GraphQL endpoint impacts GitLab CE/EE
Allocation of Resources Without Limits issue in GraphQL impacts GitLab CE/EE
Code injection issue in GitLab repositories impacts GitLab CE/EE
Internet Systems Consortium, Inc. reports:
We corrected an issue in `kea-dhcp4` that caused the server to abort if a client sent a broadcast request with particular options, and Kea failed to find an appropriate subnet for that client. This addresses CVE-2025-40779 [#4055, #4048].
Andy Shaw reports:
When passing values outside of the expected range to QColorTransferGenericFunction it can cause a denial of service, for example, this can happen when passing a specifically crafted ICC profile to QColorSpace::fromICCProfile.
Qt qtwebengine-chromium repo reports:
Backports for 25 security bugs in Chromium:
- CVE-2025-5063: Use after free in Compositing
- CVE-2025-5064: Inappropriate implementation in Background Fetch
- CVE-2025-5065: Inappropriate implementation in FileSystemAccess API
- CVE-2025-5068: Use after free in Blink
- CVE-2025-5280: Out of bounds write in V8
- CVE-2025-5281: Inappropriate implementation in BFCache
- CVE-2025-5283: Use after free in libvpx
- CVE-2025-5419: Out of bounds read and write in V8
- CVE-2025-6191: Integer overflow in V8
- CVE-2025-6192: Use after free in Profiler
- CVE-2025-6554: Type Confusion in V8
- CVE-2025-6556: Insufficient policy enforcement in Loader
- CVE-2025-6557: Insufficient data validation in DevTools
- CVE-2025-6558: Incorrect validation of untrusted input in ANGLE and GPU
- CVE-2025-7656: Integer overflow in V8
- CVE-2025-7657: Use after free in WebRTC
- CVE-2025-8010: Type Confusion in V8
- CVE-2025-8576: Use after free in Extensions
- CVE-2025-8578: Use after free in Cast
- CVE-2025-8580: Inappropriate implementation in Filesystems
- CVE-2025-8582: Insufficient validation of untrusted input in DOM
- CVE-2025-8879: Heap buffer overflow in libaom
- CVE-2025-8880: Race in V8
- CVE-2025-8881: Inappropriate implementation in File Picker
- CVE-2025-8901: Out of bounds write in ANGLE
cve@mitre.org reports:
In SQLite 3.49.0 before 3.49.1, certain argument values to sqlite3_db_config (in the C-language API) can cause a denial of service (application crash). An sz*nBig multiplication is not cast to a 64-bit integer, and consequently some memory allocations may be incorrect.
perl-catalyst project reports:
Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library. * Data::UUID does not use a strong cryptographic source for generating UUIDs.* Data::UUID returns v3 UUIDs, which are generated from known information and are unsuitable for security, as per RFC 9562. * The nonces should be generated from a strong cryptographic source, as per RFC 7616.
security@mozilla.org reports:
Memory safety bugs present in Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
Memory safety bugs present in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
Spoofing issue in the Address Bar component.
security@mozilla.org reports:
'Denial-of-service due to out-of-memory in the Graphics: WebRender component.'
security@mozilla.org reports:
Uninitialized memory in the JavaScript Engine component.
security@mozilla.org reports:
'Same-origin policy bypass in the Graphics: Canvas2D component.'
security@mozilla.org reports:
An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process.
F5 reports:
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_mail_smtp_module that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the server side may leak arbitrary bytes sent in a request to the authentication server. This issue happens during the NGINX SMTP authentication process and requires the attacker to make preparations against the target system to extract the leaked data. The issue affects NGINX only if (1) it is built with the ngx_mail_smtp_module, (2) the smtp_auth directive is configured with method "none," and (3) the authentication server returns the "Auth-Wait" response header.
Chrome Releases reports:
This update includes 6 security fixes:
- [432035817] High CVE-2025-8879: Heap buffer overflow in libaom. Reported by Anonymous on 2025-07-15
- [433533359] High CVE-2025-8880: Race in V8. Reported by Seunghyun Lee (@0x10n) on 2025-07-23
- [435139154] High CVE-2025-8901: Out of bounds write in ANGLE. Reported by Google Big Sleep on 2025-07-30
- [433800617] Medium CVE-2025-8881: Inappropriate implementation in File Picker. Reported by Alesandro Ortiz on 2025-07-23
- [435623339] Medium CVE-2025-8882: Use after free in Aura. Reported by Umar Farooq on 2025-08-01
PostgreSQL project reports:
Tighten security checks in planner estimation functions.
Prevent pg_dump scripts from being used to attack the user running the restore.
Convert newlines to spaces in names included in comments in pg_dump output.
Gitlab reports:
Cross-site scripting issue in blob viewer impacts GitLab CE/EE
Cross-site scripting issue in labels impacts GitLab CE/EE
Cross-site scripting issue in Workitem impacts GitLab CE/EE
Improper Handling of Permissions issue in project API impacts GitLab CE/EE
Incorrect Privilege Assignment issue in delete issues operation impacts GitLab CE/EE
Allocation of Resources Without Limits issue in release name creation impacts GitLab CE/EE
Incorrect Authorization issue in jobs API impacts GitLab CE/EE
Authorization issue in Merge request approval policy impacts GitLab EE
Inefficient Regular Expression Complexity issue in wiki impacts GitLab CE/EE
Allocation of Resources Without Limits issue in Mattermost integration impacts GitLab CE/EE
Incorrect Permission Assignment issue in ID token impacts GitLab CE/EE
Insufficient Access Control issue in IP Restriction impacts GitLab EE
Varnish Development Team reports:
A denial of service attack can be performed on Varnish Cache servers that have the HTTP/2 protocol turned on. An attacker can create a large number of streams and immediately reset them without ever reaching the maximum number of concurrent streams allowed for the session, causing the Varnish server to consume unnecessary resources processing requests for which the response will not be delivered.
This attack is a variant of the HTTP/2 Rapid Reset Attack, which was partially handled as VSV00013.
p5-Authen-SASL project reports:
Authen::SASL::Perl::DIGEST_MD5 versions 2.04 through 2.1800 for Perl generates the cnonce insecurely.
The cnonce (client nonce) is generated from an MD5 hash of the PID, the epoch time and the built-in rand function. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.
According to RFC 2831, The cnonce-value is an opaque quoted string value provided by the client and used by both client and server to avoid chosen plaintext attacks, and to provide mutual authentication. The security of the implementation depends on a good choice. It is RECOMMENDED that it contain at least 64 bits of entropy.
Chrome Releases reports:
This update includes 12 security fixes:
- [414760982] Medium CVE-2025-8576: Use after free in Extensions. Reported by asnine on 2025-04-30
- [384050903] Medium CVE-2025-8577: Inappropriate implementation in Picture In Picture. Reported by Umar Farooq on 2024-12-14
- [423387026] Medium CVE-2025-8578: Use after free in Cast. Reported by Fayez on 2025-06-09
- [407791462] Low CVE-2025-8579: Inappropriate implementation in Gemini Live in Chrome. Reported by Alesandro Ortiz on 2025-04-02
- [411544197] Low CVE-2025-8580: Inappropriate implementation in Filesystems. Reported by Huuuuu on 2025-04-18
- [416942878] Low CVE-2025-8581: Inappropriate implementation in Extensions. Reported by Vincent Dragnea on 2025-05-11
- [40089450] Low CVE-2025-8582: Insufficient validation of untrusted input in DOM. Reported by Anonymous on 2017-10-31
- [373794472] Low CVE-2025-8583: Inappropriate implementation in Permissions. Reported by Shaheen Fazim on 2024-10-16
The Apache httpd project reports:
'RewriteCond expr' always evaluates to true in 2.4.64.
An integer overflow in the archive_read_format_rar_seek_data() function may lead to a double free problem.
Exploiting a double free vulnerability can cause memory corruption. This in turn could enable a threat actor to execute arbitrary code. It might also result in denial of service.
cve-coordination@google.com reports:
An integer overflow can be triggered in SQLites `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution.
Deluan Quintão reports:
A permission verification flaw in Navidrome allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings.
cve-coordination@google.com reports:
An integer overflow in the sqlite3KeyInfoFromExprList function in SQLite versions 3.39.2 through 3.41.1 allows an attacker with the ability to execute arbitrary SQL statements to cause a denial of service or disclose sensitive information from process memory via a crafted SELECT statement with a large number of expressions in the ORDER BY clause.
Lib-Crypt-CBC project reports:
Crypt::CBC versions between 1.21 and 3.05 for Perl may use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. This issue affects operating systems where "/dev/urandom'" is unavailable. In that case, Crypt::CBC will fallback to use the insecure rand() function.
cmpilato reports:
The ViewVC standalone web server (standalone.py) is a script provided in the ViewVC distribution for the purposes of quickly testing a ViewVC configuration. This script can in particular configurations expose the contents of the host server's filesystem though a directory traversal-style attack.
Manu reports:
The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet.
An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name.
This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.
security@mozilla.org reports:
Memory safety bugs present in Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
Focus incorrectly truncated URLs towards the beginning instead of around the origin.
security@mozilla.org reports:
Memory safety bugs present in Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
In some cases search terms persisted in the URL bar even after navigating away from the search page.
security@mozilla.org reports:
Thunderbird ignored paths when checking the validity of navigations in a frame.
security@mozilla.org reports:
Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the `Secure` attribute.
security@mozilla.org reports:
Thunderbird cached CORS preflight responses across IP address changes. This allowed circumventing CORS with DNS rebinding.
security@mozilla.org reports:
Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
Memory safety bugs present in Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
security@mozilla.org reports:
The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref.
security@mozilla.org reports:
XSLT document loading did not correctly propagate the source document which bypassed its CSP.
security@mozilla.org reports:
The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials.
security@mozilla.org reports:
Insufficient escaping in the Copy as cURL feature could potentially be used to trick a user into executing unexpected code.
security@mozilla.org reports:
Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags.
security@mozilla.org reports:
On arm64, a WASM `br_table` instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address.
security@mozilla.org reports:
On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits.
cve@mitre.org reports:
A flaw exists in gdk-pixbuf within the gdk_pixbuf__jpeg_image_load_increment function (io-jpeg.c) and in glib’s g_base64_encode_step (glib/gbase64.c). When processing maliciously crafted JPEG images, a heap buffer overflow can occur during Base64 encoding, allowing out-of-bounds reads from heap memory, potentially causing application crashes or arbitrary code execution.
PowerDNS Team reports:
An attacker spoofing answers to ECS enabled requests sent out by the Recursor has a chance of success higher than non-ECS enabled queries. The updated version include various mitigations against spoofing attempts of ECS enabled queries by chaining ECS enabled requests and enforcing stricter validation of the received answers. The most strict mitigation done when the new setting outgoing.edns_subnet_harden (old style name edns-subnet-harden) is enabled.
Gitlab reports:
Cross-site scripting issue impacts Kubernetes Proxy in GitLab CE/EE
Cross-site scripting issue impacts Kubernetes Proxy in GitLab CE/EE using CDNs
Exposure of Sensitive Information to an Unauthorized Actor issue impacts GitLab CE/EE
Improper Access Control issue impacts GitLab EE
Exposure of Sensitive Information to an Unauthorized Actor issue impacts GitLab CE/EE
Improper Access Control issue impacts GitLab CE/EE
cve-coordination@google.com reports:
There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue.
security-advisories@github.com reports:
7-Zip is a file archiver with a high compression ratio. Zeroes written outside heap buffer in RAR5 handler may lead to memory corruption and denial of service in versions of 7-Zip prior to 25.0.0. Version 25.0.0 contains a fix for the issue.
WasmTime development team reports:
A bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder).
sep@nlnetlabs.nl reports:
A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.
The OpenQuantumSafe project reports:
Secret-dependent branching in HQC reference implementation when compiled with Clang 17-20 for optimizations above -O0
Daiki Ueno reports:
- libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS timestamps Spotted by oss-fuzz and reported by OpenAI Security Research Team, and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1, CVSS: medium] [CVE-2025-32989]
- libgnutls: Fix double-free upon error when exporting otherName in SAN Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2, CVSS: low] [CVE-2025-32988]
- certtool: Fix 1-byte write buffer overrun when parsing template Reported by David Aitel. [GNUTLS-SA-2025-07-07-3, CVSS: low] [CVE-2025-32990]
- libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK Reported by Stefan Bühler. [GNUTLS-SA-2025-07-07-4, CVSS: medium] [CVE-2025-6395]
Alan Coopersmith reports:
On 6/16/25 15:12, Alan Coopersmith wrote:
BTW, users of libxml2 may also be using its sibling project, libxslt, which currently has no active maintainer, but has three unfixed security issues reported against it according to https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt
2 of the 3 have now been disclosed:
(CVE-2025-7424) libxslt: Type confusion in xmlNode.psvi between stylesheet and source nodes
https://gitlab.gnome.org/GNOME/libxslt/-/issues/139 https://project-zero.issues.chromium.org/issues/409761909(CVE-2025-7425) libxslt: heap-use-after-free in xmlFreeID caused by `atype` corruption
https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
https://project-zero.issues.chromium.org/issues/410569369Engineers from Apple & Google have proposed patches in the GNOME gitlab issues, but neither has had a fix applied to the git repo since there is currently no maintainer for libxslt.
Note that a fourth vulnerability was reported on June 18, 2025, which remains undisclosed to date (GNOME libxslt issue 148, link below), see https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt
- +Iván Chavero reports vs. v1.1.44:
+++[CVE-2025-11731] Fix: End function node ancestor search at document
+