GitHub Security Lab researchers find vulnerabilities in key, widely-used open source projects. We then coordinate the disclosure of those vulnerabilities to security teams at those projects. We only publish vulnerabilities here after they’ve been announced by the affected projects' development teams and patches are available. See our disclosure policy below for more information.
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.
The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.
The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.
The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.
A Server-Side Template Injection was identified in BrowserUp Proxy enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability.
Two GitHub workflows of alpakka-kafka and akka-grpc are vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
A GitHub workflow of illright/attractions is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
A GitHub workflow of popsim-consortium/stdpopsim is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
A GitHub workflow of gpuweb/cts is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
A GitHub workflow of rux616/karabiner-windows-mode is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
The design and promoted usage examples of awslabs/one-line-scan makes consuming workflows vulnerable to arbitrary code execution
A GitHub workflow of PureStake/moonbeam is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
A GitHub workflow of cloudevents/sdk-ruby is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
A GitHub workflow of dazuma/toys is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
A GitHub workflow of GoogleCloudPlatform/functions-framework-ruby is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
A GitHub workflow of open-telemetry/opentelemetry-ruby is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
A GitHub workflow of tskit-dev/msprime is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
A GitHub workflow of is-a-dev/register is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
A GitHub workflow of stm32-rs/stm32-rs is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
Two GitHub workflows of nuxt/create-nuxt-app and nuxt/modules are vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
A GitHub workflow of lampepfl/dotty is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
A GitHub workflow of openzfs/zfs is vulnerable to unauthorized modification of the base repository or secrets exfiltration from a Pull Request
A GitHub workflow of aws/amazon-chime-sdk-js is vulnerable to arbitrary code execution
A GitHub workflow of rism-ch/verovio is vulnerable to arbitrary code execution
A GitHub workflow of redwoodjs/redwood is vulnerable to arbitrary code execution
Double evaluation of Struts tag dynamic attributes leads to Remote Code Execution
Two vulnerabilities in aptdaemon allow an unprivileged user to probe the existence of arbitrary files on the system
Some aptd deamon packages contain several bugs which an unprivileged user can exploit to trigger a local denial of service
A Template Injection was identified in Cron-Utils enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability
The GitHub workflow template in namin2/dependabot_jira repository is vulnerable to template injection from user comments
Automatic GitHub workflow in hyperspacedev/starlight repository is vulnerable to template injection from user comments
Automatic GitHub workflow in ww-tech/primrose repository is vulnerable to template injection from user comments
Automatic GitHub workflow in SourcePointUSA/android-cmp-app repository is vulnerable to template injection from user comments
Automatic GitHub workflow in hashicorp/boundary-ui repository is vulnerable to template injection from user comments
A Server-Side Template Injection was identified in Corona Warn App Server enabling attackers to inject arbitrary Java EL expressions, leading to un-auth Remote Code Execution (RCE) vulnerability
Automatic GitHub workflows in symless synergy-core repository are vulnerable to template injection from user comments
Automatic GitHub workflows in helm-ssm repository are vulnerable to template injection from user comments
Automatic GitHub workflows in codacy-coverage-reporter-action repository are vulnerable to template injection from user comments
Automatic GitHub workflows in bitbucket-scala-client repository are vulnerable to template injection from user comments
Automatic GitHub workflows in codacy-pylint repository are vulnerable to template injection from user comments
Automatic GitHub workflows in codacy-scalameta repository are vulnerable to template injection from user comments
Automatic GitHub workflows in codacy-analysis-cli repository are vulnerable to arbitrary code execution from user comments
Automatic GitHub workflows in codacy-coverage-reporter repository are vulnerable to template injection from user comments
The gajira-comment GitHub action supports undocumented template syntax that may lead to arbitrary code execution
The gajira-create GitHub action supports undocumented template syntax that may lead to arbitrary code execution
Unsafe deserialization vulnerablities may lead to pre-auth Remote Code Execution (RCE) in Lumisoft MailServer
Unsafe deserialization vulnerablities may lead to pre-auth Remote Code Execution (RCE) in Lumisoft .NET and Lumisoft MailServer
The NAN bindings provided by png-img for libpng are vulnerable to an integer overflow which results in an underallocation of heap memory and subsequent heap memory corruption.
SmartStoreNET 4.0.0 is vulnerable to Remote code execution (RCE) and elevation of privileges (EoP)
gdm3 can be tricked into launching `gnome-initial-setup`, enabling an unprivileged user to create a new user account for themselves. The new account is a member of the `sudo` group, so this enables the unprivileged user to obtain admin privileges
The accountsservice daemon drops privileges to perform certain operations, but in some cases gives unprivileged users permission to send signals. This means that the unprivileged user can send accounts-daemon a `SIGSTOP` signal, which stops the process and causes a denial of service
AspNetCoreMvcSharedLocalization is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS)
IdentityWithoutEF is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS)
reactjs-ts-identityserver is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS)
OnionArch is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS).
dapper-identity is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS)
DualAuthCore is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS)
little-aspnetcore-todo is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS)
Angular-Core-IdentityServer is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS)
DatabaseSchemaReader's tool DatabaseSchemaViewer is vulnerable to arbitrary code execution if a user is tricked into opening a specially crafted .dbschema file
FastReports is vulnerable to arbitrary code execution because it compiles and runs C# code from a report template
IdentityManager is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS).
An unprivileged local user may trigger a NULL dereference bug in Samba's Winbind service leading to Denial of Service (DoS)
HPLIP contains two memory corruption vulnerabilities which can be triggered by a malicious device or computer that is connected to the same network.
The `trainBatch` function has a command injection vulnerability. Clients of the Limdu library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability
Missing hostname validation allows an attacker to perform a monster in the middle attack against users of the library.
Missing hostname validation allows an attacker to perform a monster in the middle attack against users of tweetstream
Although code execution is part of the intended purpose of Opener, a crafted url can run an arbitrary shell command rather than just launching a browser.
There exists a potential open redirect vulnerability in Traefik's handling of the `X-Forwarded-Prefix` header.
SQL injection and missing CSRF protection may lead to Remote Code Execution (RCE) or arbitrary file read.
There exists an `Open URL redirect` vulnerability in the 1.x.x branch of Orange Forum. An attacker can send an Orange Forum user a crafted link targeting the login page of Orange Forum, redirecting to a malicious site.
Malicious users may access any Git repository on the server even if it is outside the served root directory
The `upload` method has a command injection vulnerability. Clients of the `codecov-node` library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
Missing hostname validation allows an attacker to perform a monster in the middle attack against users of the library.
A user with privileges to edit templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running Cascade CMS.
A user with privileges to edit wiki content may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running XWiki.
A user with privileges to edit a FreeMarker template may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running Crafter CMS.
Apache Camel FreeMarker, Velocity, MVEL and Moustache components are vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) or Arbitrary File Disclosure.
Apache OfBiz is vulnerable to pre-auth Remote Code Execution (RCE) via unsafe deserialization.
Apache OfBiz is vulnerable to Reflected Cross-Site Scripting through POST request
The GitHub Security Lab team has identified a potential security vulnerability in standard-version.
A user with privileges to write JinJava templates, for example in a CMS context, will be able to read arbitrary files from the file system.
A user with privileges to edit a FreeMarker template may execute arbitrary Java code or run arbitrary system commands with escalated privileges.
A user with privileges to edit templates may execute arbitrary Java code or run arbitrary system commands with escalated privileges.
A user with privileges to edit User macros may execute arbitrary Java code or run arbitrary system commands with escalated privileges.
A user with privileges to edit FreeMarker or Velocity templates may execute arbitrary Java code or run arbitrary system commands with escalated privileges.
A user with privileges to edit a FreeMarker template may execute arbitrary Java code or run arbitrary system commands with escalated privileges.
The GitHub Security Lab uncovered an OOB read vulnerability in Apache Guacamole prior to version 1.2.0 which may lead to information leak.
The GitHub Security Lab team has uncovered an OOB read vulnerability in FreeRDP's RLEDECOMPRESS function.
The GitHub Security Lab team has uncovered an integer signedness mismatch vulnerability in FreeRDP's update_recv_secondary_order function which leads to an OOB read vulnerability.
The GitHub Security Lab team has uncovered an OOB read vulnerability in FreeRDP's update_recv_primary_order function.
The GitHub Security Lab team uncovered an OOB read vulnerability in FreeRDP's update_read_cache_bitmap_v3_order function.
The GitHub Security Lab team has uncovered an integer signedness mismatch vulnerability in FreeRDP leading to OOB read.
The GitHub Security Lab team uncovered an OOB read vulnerability in FreeRDP's glyph_cache_put function
The GitHub Security Lab team uncovered an OOB read vulnerability in FreeRDP's ntlm_av_pair_get function.
The GitHub Security Lab team uncovered an OOB read vulnerability in FreeRDP's license_read_new_or_upgrade_license_packet function.
The GitHub Security Lab team has identified a potential remote code execution in git-diff-apply.
The GitHub Security Lab team has identified a potential remote code execution in mversion
The Github team has identified a command injection vulnerability in the resolve method of the node-dns-sync library.
The GitHub Security Lab team has identified a heap overflow in FreeRDP's crypto_rsa_common function.
The GitHub Security Lab team identified a NULL dereference in FreeRDP's libfreerdp.
The GitHub Security Lab team has identified an Out of Bounds read vulnerability in FreeRDP's ntlm_read_ChallengeMessage function.
The GitHub Security Lab team has found a potential mXSS vulnerabulity in AngularJS.
The GitHub Security Lab team uncovered a missing hostname validation vulnerability in the em-http-request library that allows an attacker to perform a Person In The Middle (PITM) attack against users of the library.
The GitHub Security Lab team identified multiple memory corruption vulnerabilities in SANE Backends which may lead to Denial of Service (DoS) and Remote Code Execution (RCE).
The GitHub Security Lab team detected an integer overflow in LibVNCClient HandleCursorShape RFB event handler.
The GitHub Security Lab team has identified a file descriptor leak in dbus that can lead to local Denial of Service.
The GitHub Security Lab team has identified a path traversal vulnerability in Jooby that can lead to information disclosure.
The GitHub Security Lab team has identified several potential security vulnerabilities in Apache Syncope, including RCE and XSS.
The GitHub Security Lab team has identified a XSS vulnerability in Apache Syncope.
The GitHub Security Labs team has identified a Server-Side template injection vulnerability in Apache Syncope, which leads to RCE.
The GitHub Security Labs team has identified an EL expression input sanitation bypass vulnerability in Hibernate Validator.
By exploiting an open redirect vulnerability, an attacker could potentially redirect a victim to any arbitrary URL and access their OAUTH token.
The GitHub Security Lab team has identified several potential security vulnerabilities in NTOP nDPI, including RCE and DoS.
An OOB write in AOSP allows an attacker within NFC range to obtain remote code execution on android device's NFC daemon.
An OOB write in AOSP allows an attacker within NFC range to obtain remote code execution on android device's NFC daemon.
An OOB write in AOSP allows an attacker within NFC range to obtain remote code execution on android device's NFC daemon.
An OOB write in AOSP allows an attacker within NFC range to obtain remote code execution on android device's NFC daemon.
Improper sanitization of SQL queries lead to SQL injection via a configuration file.
The GitHub Security Labs team has identified a Use after free in Chrome WebAudio.
The GitHub Security Labs team has identified a Use after free in Chrome WebAudio.
The GitHub Security Labs team has identified a Use after free in Chrome WebAudio.
The GitHub Security Labs team has identified a Use after free in Chrome WebAudio.
The GitHub Security Labs team has identified a Use after free in Chrome WebAudio.
The GitHub Security Labs team has identified a Use after free in Chrome WebAudio.
Server-Side Template Injection in Dropwizard leading to Remote Code Execution (RCE).
High privileged users can bypass the existing mitigations and inject arbitrary Java EL expressions in Nexus Repository Manager, leading to a Remote Code Execution (RCE) vulnerability.
It is possible for a user with the right permissions to execute arbitrary groovy or javascript scripts resulting in remote code execution.
It is possible for a user with the right permissions to execute arbitrary groovy or javascript scripts resulting in remote code execution.
High privileged users can inject arbitrary Java EL expressions in Nexus Repository Manager, leading to a Remote Code Execution (RCE) vulnerability.
A use-after-free vulnerability in ProFTPD could allow a remote attacker to execute arbitrary code on the affected system.
An attacker with elevated privileges can create content selectors with a specially crafted name using the REST API, which when viewed by another user can execute arbitrary JavaScript in the context of the NXRM application.
Attackers can inject arbitrary Java EL expressions in Nexus Repository Manager, leading to a Remote Code Execution (RCE) vulnerability.
The GitHub Security Labs team has identified a security issue in OpenSSL in which an attacker can force a client into freeing the same memory twice.
A Server-Side Template Injection was identified in Netflix Titus enabling attackers to inject arbitrary Java EL expressions, leading to a pre-auth Remote Code Execution (RCE) vulnerability.
A Server-Side Template Injection was identified in Netflix Conductor enabling attackers to inject arbitrary Java EL expressions, leading to a pre-auth Remote Code Execution (RCE) vulnerability.
An out-of-bounds (OOB) read vulnerability has been detected in PureFTPd's pure_strcmp function.
Several security issues have been found in the way X509 certificate validation functions are exposed to LUA. Clients using certain functions in lua-openssl are exposed to person-in-the-middle attacks.
An uninitialized pointer vulnerability in PureFTPd results in Out-of-Bounds reads and Denial of Service.
Several security issues have been found in the way openfortivpn deals with TLS. These issues can lead to situations in which an attacker can perform a person-in-the-middle attack on clients.
An out-of-bounds (OOB) read vulnerability detected in mod_cap.
Under certain circumstances, an off-by-one heap overflow can occur in the command_retr function.
Last updated: April 9th, 2019
The GitHub Security Lab research team is dedicated to working closely with the open source community and with projects that are affected by a vulnerability, in order to protect users and ensure a coordinated disclosure. When we identify a vulnerability in a project, we will report it by contacting the publicly-listed security contact for the project if one exists; otherwise we will attempt to contact the project maintainers directly.
If the project team responds and agrees the issue poses a security risk, we will work with the project security team or maintainers to communicate the vulnerability in detail, and agree on the process for public disclosure. Responsibility for developing and releasing a patch lies firmly with the project team, though we aim to facilitate this by providing detailed information about the vulnerability.
Our disclosure deadline for publicly disclosing a vulnerability is: 90 days after the first report to the project team.
We appreciate the hard work maintainers put into fixing vulnerabilities and understand that sometimes more time is required to properly address an issue. We want project maintainers to succeed and because of that we are always open to discuss our disclosure policy to fit your specific requirements, when warranted.
Please contact us at securitylab@github.com if you have any questions about our disclosure policy or our security research.