Latest News

February Microsoft Patch Tuesday. 89 CVEs, 33 added since January. Two with signs of exploitation in the wild: 🔻 EoP – Windows Ancillary Function Driver for WinSock (CVE-2025-21418)🔻 EoP – Windows Storage (CVE-2025-21391) There are no vulnerabilities with public exploits, but there are 7 with private ones: 🔸 RCE – Microsoft Edge (CVE-2025-21279, CVE-2025-21283)🔸 Auth. […]

### Impact Chains using affected versions of Packet Forward Middleware in their IBC Transfer stack are vulnerable to an attack in which there is a potential denial of service. This affects IBC transfers for any asset which is being transferred between another chain and its native chain. We recommend upgrading as soon as possible. __THIS IS A STATE BREAKING CHANGE__ ### Patches Versions [7.2.1](https://github.com/cosmos/ibc-apps/releases/tag/middleware%2Fpacket-forward-middleware%2Fv7.2.1) and [8.1.1](https://github.com/cosmos/ibc-apps/releases/tag/middleware%2Fpacket-forward-middleware%2Fv8.1.1) are patched. ### Workarounds N/A ### References N/A

### Impact _What kind of vulnerability is it? Who is impacted?_ Remote code execution is possible in web-accessible installations of hypercube. ### Patches _Has the problem been patched? What versions should users upgrade to?_ Not yet, though no patch is neccessary if your installation of the microservices is behind a firewall. See below. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ The exploit requires making a request against Hypercube's endpoints; therefore, the ability to make use of the exploit is much reduced if the microservice is not directly accessible from the Internet, so: Prevent general access from the Internet from hitting Hypercube. Furthermore, if you've used any of the official installation methods, your Crayfish will be behind a firewall and there is no work neccessary. The webserver might be made to validate the structure of headers passed, but that would only be neccessary if you publicly exposed the en...

The open technology, which tackles disinformation, has gained steam in the past year, surpassing 500 corporate members and continuing to evolve.

Sponsored by accessiBe

### Summary Private key can be extracted from ECDSA signature upon signing a malformed input (e.g. a string or a number), which could e.g. come from JSON network input Note that `elliptic` by design accepts hex strings as one of the possible input types ### Details In this code: https://github.com/indutny/elliptic/blob/3e46a48fdd2ef2f89593e5e058d85530578c9761/lib/elliptic/ec/index.js#L100-L107 `msg` is a BN instance after conversion, but `nonce` is an array, and different BN instances could generate equivalent arrays after conversion. Meaning that a same `nonce` could be generated for different messages used in signing process, leading to `k` reuse, leading to private key extraction from a pair of signatures Such a message can be constructed for any already known message/signature pair, meaning that the attack needs only a single malicious message being signed for a full key extraction While signing unverified attacker-controlled messages would be problematic itself (and exploi...

### Summary This report finds 2 availability issues due to the regex used in the `parse-duration` npm package: 1. An event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up to ~50ms per one operation, with a varying size from 0.01 MB and up to 4.3 MB respectively. 2. An out of memory that would crash a running Node.js application due to a string size of roughly 10 MB that utilizes unicode characters. ### PoC Refer to the following proof of concept code that provides a test case and makes use of the regular expression in the library as its test case to match against strings: ```js // Vulnerable regex to use from the library: import parse from './index.js' function generateStressTestString(length, decimalProbability) { let result = ""; for (let i = 0; i < length; i++) { if (Math.random() < decimalProbability) { result += "....".repeat(99); } result += Math.floor(Math.random() * 10); } return result; } function ...

US, UK, and Australian law enforcement have targeted a company called Zservers (and two of its administrators) for providing bulletproof hosting services to the infamous ransomware gang.

### Summary Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. ### PoC Coming soon. ### Impact This is a Regex Denial-of-Service attack and causes memory exhaustion. The regex should be improved and empty values should not be allowed.

Calls to `cng.TLS1PRF` don't release the key handle, producing a small memory leak every time.