Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-hcrg-fc28-fcg5: parse-duration has a Regex Denial of Service that results in event loop delay and out of memory

### Summary This report finds 2 availability issues due to the regex used in the `parse-duration` npm package: 1. An event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up to ~50ms per one operation, with a varying size from 0.01 MB and up to 4.3 MB respectively. 2. An out of memory that would crash a running Node.js application due to a string size of roughly 10 MB that utilizes unicode characters. ### PoC Refer to the following proof of concept code that provides a test case and makes use of the regular expression in the library as its test case to match against strings: ```js // Vulnerable regex to use from the library: import parse from './index.js' function generateStressTestString(length, decimalProbability) { let result = ""; for (let i = 0; i < length; i++) { if (Math.random() < decimalProbability) { result += "....".repeat(99); } result += Math.floor(Math.random() * 10); } return result; } function ...

ghsa
Open in Source
#mac#dos#nodejs#js#git#java#c++
Feds Sanction Russian Hosting Provider for Supporting LockBit Attacks

US, UK, and Australian law enforcement have targeted a company called Zservers (and two of its administrators) for providing bulletproof hosting services to the infamous ransomware gang.

Online Threats Are Rising -Here’s Why Companies Must Improve Their Cybersecurity

Cybersecurity is a must as online threats rise. Businesses must train employees, back up data, and adopt strong…

Microsoft: Russia's Sandworm APT Exploits Edge Bugs Globally

Sandworm (aka Seashell Blizzard) has an initial access wing called "BadPilot" that uses standard intrusion tactics to spread Russia's tendrils around the world.

A Hacker Group Within Russia’s Notorious Sandworm Unit Is Breaching Western Networks

A team Microsoft calls BadPilot is acting as Sandworm's “initial access operation,” the company says. And over the last year it's trained its sights on the US, the UK, Canada, and Australia.

Fake Etsy invoice scam tricks sellers into sharing credit card information 

Etsy sellers are being targeted by scammers that use a legitimate Etsy domain to host their dodgy PDFs.

India's Cybercrime Problems Grow as Nation Digitizes

More than half of attacks on Indian businesses come from outside the country, while 45% of those targeting consumers come from Cambodia, Myanmar, and Laos.

This Ad-Tech Company Is Powering Surveillance of US Military Personnel

In a letter to a US senator, a Florida-based data broker says it obtained sensitive data on US military members in Germany from a Lithuanian firm, revealing the global nature of online ad surveillance.

What Is a Personal VPN? Features, Benefits, and How It Works

Privacy, security, and unrestricted access are the promises of a personal VPN. But what does it actually do,…

GHSA-fppq-f2m6-xv5c: Improper Authorization vulnerability in Magento and Adobe Commerce

Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.