This page collects WhisperX intelligence signals tagged #security_vulnerability. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical security vulnerability has been identified in libcurl, the widely-used data transfer library, affecting versions from 7.17.0 up to and including 8.17.0. This exposure, detailed in a Tenable Nessus plugin advisory, necessitates an immediate upgrade to version 8.18.0 or later to mitigate the risk. The flaw's p...
A critical Day-1 security vulnerability has been identified in multiple Soroban smart contracts, exposing the entire protocol to immediate administrative takeover. The `initialize` functions within the Arena, Factory, and Payout contracts are publicly callable by any address. This design flaw allows any observer of the...
A critical security flaw has been identified in the `submit_choice` function of the Arena smart contract. The function currently accepts submissions from any caller without verifying if the address is an active, staked participant in the game. This absence of a `DataKey::Survivor` check allows random, unstaked addresse...
A critical security flaw in a Python/Pygame application allows an attacker to crash or render the game unusable through a simple command-line input. The vulnerability stems from the main.py file, which accepts paddle speed as a user-supplied integer. While a regex validates the input as a positive number, it fails to e...
A critical security flaw has been identified in the Arena smart contract's administrative `set_token` function. The vulnerability allows a contract admin to instantly change the address of the reward or stake token at any time, without regard for the current state of active games. This creates a direct risk where playe...
一个关键的代码注入漏洞在流行的 `serialize-javascript` npm 包中被发现,其先前针对 CVE-2020-7660 的修复被证实是不完整的。该漏洞存在于 7.0.2 及更早版本中,允许攻击者通过精心构造的正则表达式标志(`RegExp.flags`)将恶意代码注入到序列化输出中,而之前的安全补丁仅对 `RegExp.source` 进行了清理。这意味着依赖此库进行数据序列化的数千个 Node.js 和前端项目,在未升级到最新版本(7.0.3+)的情况下,其应用仍面临远程代码执行(RCE)的切实风险。 该漏洞被标记为 GitHub 安全公告 GHSA-5c6j-r48x-rmvq,是 CVE-2020-7660...
A critical vulnerability in the export handler of a server application poses an immediate risk of Out-Of-Memory (OOM) crashes and Denial of Service (DoS). The flaw, located in the `internal/handlers/export.go` file, loads the entire contents of multiple database tables directly into system memory without any pagination...
A critical security and performance flaw has been identified in a Soroban smart contract's payout function. The `distribute_winnings()` method stores each payout record directly in the contract's **instance storage**, a design choice that leads to unbounded growth and threatens the contract's long-term viability. Insta...
A critical security flaw in the arena smart contract allows the prize pool to be paid out to any address designated as a winner, even if that address never registered as a participant. The `claim()` function fails to verify that the winner is also a registered `Survivor`, creating a direct path for unearned funds to be...
一个旨在简化媒体服务器部署的自动化脚本 `install-media-stack.sh` 被发现存在严重的安全配置缺陷,导致其安装的 Jellyfin 媒体服务器默认向整个互联网开放,构成重大安全风险。该脚本未经修改直接用于生产环境,可能使服务器门户大开,允许未经身份验证的远程访问。 测试证据显示,脚本安装的 Jellyfin 服务默认绑定到 `0.0.0.0`(所有网络接口),而非安全的 `127.0.0.1`(本地主机)。通过 `ss` 命令可以观察到服务在端口 42311 上监听所有地址。更直接的验证是,从外部网络对一个测试 IP 地址(185.148.1.77)的 42311 端口发起 HTTP 请求,服务器返回了 HTT...
A critical security vulnerability has been identified in a Soroban smart contract, allowing an attacker to bypass authorization checks and potentially trigger unauthorized fund distributions. The flaw resides in the `distribute_winnings()` function within the `payout` contract, where a logic error in the sequence of ch...
A critical security vulnerability has been automatically patched after a hardcoded Stripe live API key was discovered in a project's source code and exposed via an admin dashboard endpoint. The key, identified as 'stripe_live_key_EXAMPLE_1234567890abcdef', was embedded directly within the `src/config.js` file, represen...
Go语言标准库 `x/image/webp` 解码器存在一个关键安全漏洞,在32位平台上处理特制的超大WebP图像时,会返回一个内部已损坏的 `image.Image` 对象,后续任何对该图像数据的访问都将直接导致程序恐慌(panic)崩溃。该漏洞源于解码器未能严格执行WebP格式规范(RFC 9649)中定义的画布尺寸上限检查。根据规范,WebP扩展头(VP8X)中声明的画布尺寸(宽度乘以高度)不得超过2^32-1像素。然而,当解码一个声明尺寸超过此限制或在32位整数乘法运算中导致溢出的图像时,库未能有效拒绝该图像,反而生成了一个无效的内部数据结构。 此漏洞被追踪为CVE-2026-33813,并已被标记为公开追踪(PUBLIC...
A critical vulnerability has been identified in the project's oracle system, where reliance on a single external price feed creates a direct risk of market manipulation and user fund loss. The current implementation depends solely on the CoinGecko API for crypto price resolution. If this single source is down, returns ...
在 casual-1.6.2.tgz 这个用于生成假数据的 npm 包中,其直接依赖的 moment-2.24.0.tgz 库被检出两个高危安全漏洞,CVSS 评分均为 7.5。这两个漏洞的利用成熟度均未定义,但 EPSS 评分显示其被利用的可能性分别为 2.3% 和 3.4%。尽管漏洞评级为高危,但当前分析标记其代码路径为“不可达”,这可能意味着受影响的函数在特定应用上下文中未被调用,暂时降低了直接被利用的风险。 这两个漏洞的标识分别为 CVE-2022-24785 和 CVE-2022-31129,均存在于 moment 这个广泛使用的 JavaScript 日期处理库的 2.24.0 版本中。官方已在 moment 的 2....
Rust 安全团队发布关键安全公告 RUSTSEC-2024-0437,指出 `protobuf` 库的 2.28.0 版本存在一个可导致崩溃的漏洞。该漏洞源于解析特定 Protobuf 消息时发生的无限递归,可能引发拒绝服务(DoS)。虽然其严重性被标记为“中等”且并非远程代码执行(RCE),但它直接阻塞了依赖审计和持续集成(CI)流程,迫使相关项目必须采取行动。 受影响的依赖链清晰显示了问题的传导路径:有问题的 `protobuf 2.28.0` 版本被 `prometheus 0.13.4` 所依赖,而后者又被 `dewey 0.1.0` 项目使用。官方建议的修复方案是升级到 `protobuf >= 3.7.2` 版本。然...
A critical security vulnerability has been identified in the Factory contract's `create_pool` function. The function accepts an arbitrary `currency` identifier but fails to authenticate this token address against the official `DataKey::SupportedToken` configuration whitelist. This oversight allows unverified and potent...
A critical security vulnerability has been identified in the Arena game contract, where an administrative function can permanently lock player deposits mid-game. The `set_token` function, which mutates the underlying `TOKEN_KEY` for the prize pool, lacks essential lifecycle guards. This allows an admin—whether acting a...
A critical security flaw has been identified in a blockchain rewards contract, exposing it to a front-running attack that could allow an attacker to seize control of the system and drain funds. The vulnerability resides in the contract's `initialize` function, which lacks any authentication check. This allows any obser...
A critical security gap has been identified within the protocol's smart contract architecture. While the rewards contract includes an emergency pause/unpause mechanism, the foundational quest and milestone contracts do not. This asymmetry creates a dangerous single point of failure: if a vulnerability is discovered pos...