Open Source Security
In-depth guides and analysis on open source security from the Safeguard engineering team.
404 articles
RubyGems 2019 Multi-CVE Disclosure: Directory Traversal v...
CVE-2019-8320 let malicious RubyGems packages delete arbitrary directories via symlinked gem decompression. Here's the impact, timeline, and how to remediate it.
RubyGems Escape Sequence Injection via Gem Name Output (C...
A look at CVE-2019-8321, the RubyGems escape sequence injection flaw in gem CLI output: affected versions, severity, and how to remediate it.
RubyGems Escape Sequence Injection via Crafted API Respon...
CVE-2019-8322 is a RubyGems flaw where crafted API responses could inject terminal escape sequences, spoofing gem output. Here's what to know and how to fix it.
RubyGems Escape Sequence Injection in Gem Owner Command (...
CVE-2019-8323 shows how RubyGems' gem owner command echoed unsanitized API response data to the terminal, enabling escape sequence injection attacks.
RubyGems Malicious Gem Arbitrary Code Execution via Missi...
CVE-2019-8324 let a malicious RubyGems package run arbitrary code at install time via a crafted multi-line gem name evaluated during the preinstall check.
RubyGems Escape Sequence Injection via Unpack API (CVE-20...
CVE-2019-8325 lets a malicious RubyGems package inject terminal escape sequences via the unpack API. Here's the impact, affected versions, and how to remediate it.
pip's Version-Based Resolution and the Origin of Dependen...
CVE-2018-20225 exposed how pip's version-based resolver lets a higher-versioned public PyPI package silently override a private one — the origin of dependency confusion attacks.
The torchtriton Dependency Confusion Attack on PyTorch-Ni...
How a namespace gap on PyPI let a malicious "torchtriton" package hijack PyTorch-nightly installs for five days, and what it teaches about ML supply chain security.
The 'ctx' PyPI Package Hijack via Expired Maintainer Domain
In 2022, attackers bought an expired domain, reset a PyPI maintainer's email, and hijacked the ctx package to steal environment variables from unsuspecting installs.
node-tar Arbitrary File Write via Symlink Extraction (CVE...
CVE-2021-32803 allows crafted symlinks in tar archives to make node-tar write files outside the extraction directory via malicious npm packages.
node-tar Second Bypass Enabling Arbitrary File Write (CVE...
CVE-2021-32804 let crafted tar archives bypass node-tar path sanitization, enabling arbitrary file writes during npm package extraction.
node-tar Windows-Specific Path Traversal Bypass (CVE-2021...
CVE-2021-37712 let malicious tar archives bypass node-tar's symlink protections on Windows via junctions, enabling path traversal during npm installs. Here's what to patch.