Top Tweets for #LastWeekInAppSec
With the #Axios supply chain issue last week, you might have missed a couple of other supply chain issues. #LastWeekInAppSec included:
🔨 rapid exploitation of a code injection + RCE in #Langflow AI platform (#CVE-2026-33017)
🕵️♂️ a clever malicious #Python package (#Telnyx) that used a valid .wav audio file to hide its payload.
▷ Read the details: https://t.co/TGsOEVB97R
#AppSec #DevSecOps #MaliciousPackage #SupplyChainSecurity #DevOps #LLM #AISecurity
Looking at the #LastWeekInAppSec, we see two widely-used application components with Denial of Service, and a nasty little path traversal in a package manager.
▷ Oracle's Java SE and GraalVM offerings have a denial of service (DoS) in specific cases where they're processing untrusted code. Worth updating if you have a product that's intended to run customer code in any way. CVE-2026-21945
▷ React 19 has a DoS too, for apps using Server Function endpoints. This one is quite a bit easier to attack if you expose those endpoints (directly or indirectly), allowing an adversary to run up your cloud bill or even crash your application. CVE-2026-23864
▷ pnpm, an alternative to the npm package manager (but that still uses the npm registry under the covers), has a nasty path traversal that leaves a door open for malicious packages to do a lot of damage. This one's a priority. CVE-2026-23888
Details, mitigations, context for making risk-based decisions all on our blog: https://t.co/VXxDTT9zBi
#React #NodeJS #Java #pnpm #npm #CVE #Vulnerability #DoS
This #LastWeekInAppSec is a great reminder that automation and dev tooling is part of an organizations attack surface. #Sigstore, #pnpm, and #n8n all have vulns to pay attention to, but (mostly) not panic over.
👉 should you worry? read: https://t.co/G70mOwumZo
#AppSec #ProductSecurity #DevSecOps #DevOps
#LastWeekInAppSec was a busy one! Not only did we have #ShaiHulud rear its head again:
☕️ The node-forge toolkit for #JavaScript, which has been widely adopted as a provider for various encryption and digital signature purposes, has a vulnerability in versions through 1.3.1 that can lead to bypassing signature checks (CVE-2025-12816, CVSSv3 8.6). Update to [email protected] or newer promptly if impacted.
🤦 The open-source identity management and provisioning system Apache Syncope uses a default, hard-coded AES key to protect user passwords when administrators select “AES password encryption” for the storage method. This allows attackers who manage to get a copy of the encrypted password database to use this publicly-available key to decrypt every password stored. Syncope 2.1.0–2.1.14, 3.0.0–3.0.14, and 4.0.0–4.0.2 are affected, with fixes in 3.0.15 and 4.0.3, and a backported fix for 2.1.x available.
🏷️ A recent Ubuntu advisory brought new attention to older vulnerabilities in the libraries libxml2 and libxslt, which underly many applications with XML parsing or generation capabilities, including the GNOME desktop environment and Python’s popular lxml package. In April and July, several CVEs (CVE-2025-32414, CVE-2025-32415, CVE-2025-49794, plus libxslt CVE-2025-7425) were published related to memory-safety issues that can lead to crashes and other vulnerable behaviors in consuming applications.
🧪 GitLab’s Community Edition and Enterprise Edition patch notes detail several significant vulnerabilities patched in GitLab 18.6.1, 18.5.3, and 18.4.5. The issues include a registration issue that can result in authentication bypass across organization and group boundaries. daries.
Get details and analysis here: https://t.co/go9NG0ErXx
#LastWeekInAppSec, we see an #NPM module meant for safety not be so safe, and a tool for #agentic #AI workflow design let attackers change user passwords.
https://t.co/gVClsweoew
🧮 The NPM module `expr-eval` is supposed to allow safe, sandboxed evaluation of mathematical expressions. While it's safer than raw `eval`, an input validation bug opens adopters to #RCE when attackers slip serialized functions or the like into expression variables. CVE-2025-12735. Repair requires moving to unreleased (but merged) versions or `expr-eval-fork`
🤖 The Flowise visual designer for agentic AI workflows didn't properly verify existing passwords before allowing a user to make a password change. This issue is discovered on the heels of other issues that allowed attackers to easily obtain an authenticated session: if you were dragging your heels on an upgrade, it's definitely time to prioritize it now.
#AppSec #CyberSecurity #SoftwareSecurity #SupplyChainSecurity
#OpenSourceSecurity #JavaScriptSecurity #NodeSecurity
#DevSecOps #SecureCoding #VulnerabilityManagement
#CVE #Infosec #SecurityTesting #ProductSecurity
#LastWeekInAppSec for 11. Nov documents two low-severity but potentially important flaws.
🐱 Apache Tomcat — A multipart upload cleanup delay (CVE-2025-61795) can fill disks and cause a DoS or cloud billing issues.
🤖 Vercel AI SDK — An index error (CVE-2025-48985) lets unsafe files slip past type checks, a potential foothold for AI context poisoning.
Both are reasonable to exploit. But also easy to patch. Full details, detection commands, and mitigations in this week’s roundup:
🔗  https://t.co/U7sk6JTaIY
#AppSec #DevSecOps #CVE #ApacheTomcat #Vercel #Security #Infosec #Checkmarx
☔️ #LastWeekInAppSec: Two significant regressions hit popular DevOps tools.
🪄 Jenkins SAML Plugin (CVE-2025-64131) allows #SAML assertion replay — attackers could impersonate legitimate users if they capture network traffic. A missing replay cache is to blame. Fixed versions close the gap, but older builds remain exposed. HTTPS is a significant mitigation when properly implemented.
🐱 Apache Tomcat RewriteValve (CVE-2025-55752, CVSS 7.5) mishandles URL rewrite normalization and decoding again, creating a path traversal risk that could expose sensitive files — and in rare cases, even allow file replacement or #RCE.
Read full details, detection commands, and mitigations in this week’s roundup:
🔗 https://t.co/xTvv5RSciU
#AppSec #DevSecOps #Jenkins #Tomcat #CVE #Security #Infosec #Checkmarx
It's #LastWeekInAppSec time!
🐍 #Authlib, a popular #Python library for implementing #OAuth and #OpenID (remember that?) servers, has a pair of vulnerabilities (CVE-2025-61920, CVE-2025-59420; both CVSSv3=7.5) in it’s handling of JOSE and #JWS tokens. CVE-2025-61920 is a recent disclosure which has renewed interest in CVE-2025-59420, disclosed earlier this year. These issues allow attackers to bypass certain security-relevant header chcecks, resulting in #DenialOfService attacks and policy bypass. In some cases, this allows for #PrivilegeEscalation. Patches for both are available starting in Authlib 1.6.5.
🍃 Spring Framework has a #vulnerability (CVE-2025-41254, CVSS=4.3) in its global and automatic anti-CSRF mechanisms. This vulnerability allows endpoints using the STOMP protocol over WebSockets to be vulnerable to CSRF attacks (CVE-352). Attackers can send STOMP messages that should be rejected, but are not, allowing impersonation of users. Many affected versions (5.3.0–5.3.45, 6.0.0–6.0.29, 6.1.0–6.1.23, 6.2.0–6.2.11), see the advisory for upgrade details.
See https://t.co/A88vAICPrg for deeper analysis including mitigation steps and how to tell if you're impacted.
#AppSec #VulnManagement #CyberSecurity #SupplyChainSecurity
It's #LastWeekInAppSec time again! This week we have a use-after-free vulnerability in #Poppler, a widely-used PDF rendering library; and an Insecure Direct Object Reference (IDOR) in a Liferay web portal that leaks #PII. Summary below, details at https://t.co/8MU0846nzq
📑 A use-after-free (write) has been found in popular PDF rendering library Poppler prior to 25.10.0 (CVE-2025-52885 CVSSv3=7.8), providing a vector for information exposure and possibly arbitrary code execution. Patch Poppler to 25.10.0; or, if your vendor has backported the fix, apply that.
🫡 A parameter-validation flaw (IDOR) in Liferay’s Account Admin Web module allows attackers to leverage a user-controlled key to access privileged functions in the panel (CVE-2025-62242 CVSSv3=9.1). Issue exists in in Liferay Portal 7.4.3.4 through 7.4.3.111; and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92. Apply patches as appropriate; since it affects PII in many deployments, compliance and regulatory requirements may be in play.
#AppSec #CyberSecurity #SupplyChainSecurity #OpenSourceSecurity #OpenSource #CVE #Vulnerability #SecurityResearch
In this week's #LastWeekInAppSec (07. Oct 2025): Django allowing SQLi when backed by MySQL or MariaDB; FreshRSS letting anyone self-register as an admin.
Even if you aren't impacted by these vulnerabilities, they're excellent case studies for #AppSec teams on the challenges of avoiding even common weaknesses (like SQLi) and ensuring that designs are reviewed alongside implementations.
https://t.co/HuW1BrCsOt
#InfoSec #CyberSecurity #WebSecurity #DevSecOps #VulnerabilityManagement #SQLi #Django #FreshRSS #PatchManagement #CVE
#LastWeekInAppSec for 30 Sep 2025 is live! Here are some #ApplicationSecurity news items that might have flown under your radar last week.
📨 go-mail SMTP command injection
A casting mistake let crafted recipient addresses smuggle SMTP commands. Severity: CVSSv4 8.2.
Action: upgrade to v0.7.1, sanitize untrusted addresses, and review mail logs for odd RCPT TO:/DATA sequences.
🔐 Rancher SAML flow abuse (Manager + CLI)
Phishing with a malicious URL could force re-auth to an attacker-controlled endpoint and expose tokens, lead to privilege elevation during attack. CVE-2024-58267.
Action: upgrade to 2.12.2 / 2.11.6 / 2.10.10 / 2.9.12, enforce strict allowlists for requestId/publicKey, shorten token TTLs, and train admins on URL validation.
Get the 3-minute read with details, mitigations, and links:
https://t.co/BvSAjUCbvW
#AppSec #DevSecOps #IncidentResponse #Kubernetes #Rancher #GoLang #EmailSecurity #SAML #OAuth #SupplyChainSecurity #BlueTeam #SecurityEngineering
Two under-the-radar issues happened #LastWeekInAppSec, while we were all focused on the Shai-Hulud attacks:
☕️ Jenkins + Jenkins Core HTTP/2 DoS when using embedded web server (CVE-2025-5115). Impact: unauth DoS when HTTP/2 is enabled. Fix: Jenkins 2.524/LTS 2.516.3. Interim: disable HTTP/2 or run behind Tomcat instead of using the bundled Jetty server.
🧊 Kubernetes C# client cert validation (CVE-2025-9708). Impact: potential MitM when using custom CA configurations. Fix: v17.0.14+. Interim: move custom CA from kubeconfig into system trust store to raise exploit difficulty.
More details: https://t.co/hz1ILPsjCm
#AppSec #DevSecOps #Jenkins #Jetty #HTTP2 #Kubernetes #K8s #CVE #VulnerabilityManagement #SecureByDesign
Hono JS framework auth bypass, Netty java framework 0-day, and Claude Code warning about its warnings #LastWeekInAppSec (09. September 2025)
🙉 Developers using the Hono JavaScript web framework, which is rapidly gaining popularity, are affected by a High (CVSS 7.5) severity vulnerability (CVE-2025-58362) that can allow attackers to bypass access controls configured in application proxies (like Nginx’s location blocks) due to path parsing confusion. Hono versions from 4.8.0 are affected; upgrade to 4.9.6 or newer. If using a reverse proxy for access control, ensure it rejects malformed requests and keeps explicit location ACLs for admin/debug paths.
🥷 Netty, a popular Java framework for high-performance network protocol servers, experienced a 0-day vulnerability disclsore related to request smuggling (CVE-2025-58056). Older versions through https://t.co/Lf4gnnQvln, and newer versions 4.2.0.Alpha1 through https://t.co/hHHMQtmIQn are impacted. The Netty team promptly responded to the disclosure and ensured advisories were issued. Upgrade to the patched Netty release noted in the advisory. Add normalization and disable legacy chunk extension handling in your reverse proxies to mitigate.
🤖 Claude Code startup trust leads to code execution (GHSA-ph6w-f82w-28w6). The initial “trust this folder” prompt understated that agreeing allows execution of local files. Upgrade @anthropic-ai/claude-code to 1.0.87. Anthropic recommands you treat untrusted projects as hostile and run tools with least privilege; we wholeheartedly agree! See our previous work: Bypassing Claude Code: How Easy Is It to Trick an AI Security Reviewer?
More details in our blog: https://t.co/dChdbT4wjp
#LastWeekInAppSec #AppSec #ApplicationSecurity #InfoSec #SecurityNews #CVE #GHSA #Hono #HonoJS #AccessControl #ReverseProxy #Nginx #Netty #Java #JavaSecurity #HTTP #RequestSmuggling #ClaudeCode #Anthropic #AIDevTools #LeastPrivilege
Lessons from session takeovers in Payload CMS, and malicious workflows in the Nx build system leaked secrets; #LastWeekInAppSec (2. September 2025)
🪪 Payload CMS SQLite adapter session management issues can lead to account takeover (CVE-2025-4644 and CVE-2025-4633). New accounts could inherit a reused JWT, enabling account takeover. Update Payload, @payloadcms/next, and @payloadcms/graphql to 3.44.0 or newer, invalidate all sessions, rotate JWT secrets, and review auth logs for odd sign-ins.
💧 Malicious Nx versions, including several items in the @nx namespace, were published to npm via compromised pipeline (no CVE yet issued). Malicious releases exfiltrated credentials and created repos on victim GitHub accounts. Check GitHub security logs for creation of repos anamed s1ngularity-repository. Also rotate tokens (GitHub, npm, CI), upgrade Nx Console to stop implicit installs, and pin deps with provenance.
Additional details: https://t.co/cFPRuSpGZo
#AppSec #CyberSecurity #DevSecOps #SupplyChainSecurity #OpenSourceSecurity #CVE #VulnerabilityManagement #SoftwareSecurity #InfoSec
#LastWeekInAppSec for 19. August 2025: Code injection in AI Agent dev tool, path traversal in `go-getter`, model code injection protection bypass in TensorFlow Keras, and unsafe ImageMagick use in Rails Active storage
https://t.co/NnWqqFKRhG for details, mitigations, etc.. Summary:
⏳ Flowise — a visual workflow developer for Agentic AI — versions prior to 3.0.6 had an arbitrary JavaScript injection (CVSS 9.8) bug that let an attacker run code in the Flowise context, leading to secrets/tokens leakage and RCE in some deployments. Flowise users should upgrade to at least 3.0.6, rotate any API keys used by flows, and audit Flowise logs for suspicious node/flow edits.
🌎 Popular Go module go-getter from Hashicorp (makers of the popular Terraform and Vault products) has a symlink style path traversal flaw (CVSS 7.5), allowing users to read files outside a specified directory. Upgrade to 1.7.9 or newer, and review build agents to make sure they’re running tools with least privilege.
🤖 Keras — the high-level API for the TensorFlow ML framework – has a “safe_mode” bypass that lets crafted models trigger arbitrary file writes (and sometimes RCE) even with safe_mode on; fixed in Keras 3.11.0. Upgrade Keras to at least 3.11.0, avoid loading untrusted .keras models, and consider allow‑listing deserialization targets.
🛤️ Rails Active Storage allowed unsafe image transformation methods/params by default (CVSSv4 8.2) in many versions since 5.2.0. This flaw enables potential command injection when user‑supplied params flow in. Upgrade active_storage to 7.1.5.2, 7.2.2.2, or 8.0.2.1; review code to ensure your applications avoid passing arbitrary transform params.
Time for another #LastWeekInAppSec for 12. Aug 2025: ChatGPT-5 system prompt leaked, CISA supports CVE, and AppSec Village completes
💧 OpenAI released GPT-5 in its ChatGPT platform, but researchers almost immediately discovered and published the ChatGPT5 system prompt, reminding us that system prompts should not contain anything critical or sensitive.
🎖️ CISA (US Cybersecurity & Infrastructure Security Agency) pleged continued support of the CVE program, an important message after April’s de-funding scare.
🙂 The AppSec Village at DEFCON33 ran, with many engaging and educational talks. Keep an eye on the YouTube channel, but be patient – it can take a few months.
https://t.co/rOClRqUq9g
Looking for #LastWeekInAppSec for 5. Aug? We're taking a bye week on it to hang out at #BHUSA and #DEFCON -- look for us to get back on it next week! Meanwhile, keep an eye out for your friendly researchers (and Darren) around Las Vegas.
It's time for another #LastWeekInAppSec (29. July 2025) -- AppSec items of interest you might have missed in the last week.
🤖 Go package ekuiper, a moderately popular server and framework for IoT data analytics and stream processing, has a SQL Injection flaw (GHSA-526j-mv3p-f4vv and CVE-2025-54379), allowing attackers to perform damaging SQL operations; the example given drops the users table entirely. https://t.co/pcp0V6K0bV
🍴 Popular JavaScript HTTP client library axios is impacted by a serious vulnerability in a downstream library. While the advisory has been withdrawn for Axios itself, the vulnerability is still present in the transitive dependency form-data. This means you can fix either by updating axios to at least 1.11.0, or explicitly override the form-data version to 4.0.4. https://t.co/cbTDp5a9U0
Details: https://t.co/ObfcHvHQy5
It's 22. July and time for another #LastWeekInAppSec — security stories you might have missed.
🚙 PCA Cyber Security developed an attack stack exploiting a stack of memory-corruption and program-logic vulnerabilities in the BlueSDK Bluetooth stack provided by OpenSynergy. PerfektBlue can compromise millions of devices that include BlueSDK, From mobile phones and portable media devices to cars. Assigned CVEs CVE-2024-45431, CVE-2024-45432, CVE-2024-45433, and CVE-2024-45434. https://t.co/tVMhLAh0X5
📤 Wiz discovers container escape vulnerability in the NVIDIA Container Toolkit (CVE-2025-23266). Container definition files could exploit the vulnerable hooks during container creation. https://t.co/QB7CQIWrgi
📉 Grafana dashboards vulnerable to XSS, without requiring editor access. As a result of their bug bounty program, Grafana Labs repaired CVE-2025-6023, a Cross-Site Scripting (XSS) vulnerability that only requires anonymous access be enabled. https://t.co/ack1Irf8Zt
More details: https://t.co/zXjyBcvQBZ
#LastWeekInAppSec
⎈ The Kubernetes package manager Helm has a high-severity Code Injection vulnerability CVE-2025-53547.
🚂 The Conductor open-source microservices workflow orchestrator is vulnerable to a Remote Code Execution #RCE (CVE-2025-26074)
More details: https://t.co/dBtaOTyWRt
Last Seen Hashtags on Sotwe
Most Popular Users
Elon Musk 
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers