Safeguard
Topic

Open Source Security

In-depth guides and analysis on open source security from the Safeguard engineering team.

404 articles

Open Source Security

RubyGems 2019 Multi-CVE Disclosure: Directory Traversal v...

CVE-2019-8320 let malicious RubyGems packages delete arbitrary directories via symlinked gem decompression. Here's the impact, timeline, and how to remediate it.

Dec 5, 20258 min read
Open Source Security

RubyGems Escape Sequence Injection via Gem Name Output (C...

A look at CVE-2019-8321, the RubyGems escape sequence injection flaw in gem CLI output: affected versions, severity, and how to remediate it.

Dec 4, 20258 min read
Open Source Security

RubyGems Escape Sequence Injection via Crafted API Respon...

CVE-2019-8322 is a RubyGems flaw where crafted API responses could inject terminal escape sequences, spoofing gem output. Here's what to know and how to fix it.

Dec 4, 20258 min read
Open Source Security

RubyGems Escape Sequence Injection in Gem Owner Command (...

CVE-2019-8323 shows how RubyGems' gem owner command echoed unsanitized API response data to the terminal, enabling escape sequence injection attacks.

Dec 4, 20257 min read
Open Source Security

RubyGems Malicious Gem Arbitrary Code Execution via Missi...

CVE-2019-8324 let a malicious RubyGems package run arbitrary code at install time via a crafted multi-line gem name evaluated during the preinstall check.

Dec 4, 20257 min read
Open Source Security

RubyGems Escape Sequence Injection via Unpack API (CVE-20...

CVE-2019-8325 lets a malicious RubyGems package inject terminal escape sequences via the unpack API. Here's the impact, affected versions, and how to remediate it.

Dec 3, 20258 min read
Open Source Security

pip's Version-Based Resolution and the Origin of Dependen...

CVE-2018-20225 exposed how pip's version-based resolver lets a higher-versioned public PyPI package silently override a private one — the origin of dependency confusion attacks.

Dec 3, 20257 min read
Open Source Security

The torchtriton Dependency Confusion Attack on PyTorch-Ni...

How a namespace gap on PyPI let a malicious "torchtriton" package hijack PyTorch-nightly installs for five days, and what it teaches about ML supply chain security.

Dec 3, 20257 min read
Open Source Security

The 'ctx' PyPI Package Hijack via Expired Maintainer Domain

In 2022, attackers bought an expired domain, reset a PyPI maintainer's email, and hijacked the ctx package to steal environment variables from unsuspecting installs.

Dec 3, 20257 min read
Open Source Security

node-tar Arbitrary File Write via Symlink Extraction (CVE...

CVE-2021-32803 allows crafted symlinks in tar archives to make node-tar write files outside the extraction directory via malicious npm packages.

Dec 2, 20257 min read
Open Source Security

node-tar Second Bypass Enabling Arbitrary File Write (CVE...

CVE-2021-32804 let crafted tar archives bypass node-tar path sanitization, enabling arbitrary file writes during npm package extraction.

Dec 2, 20257 min read
Open Source Security

node-tar Windows-Specific Path Traversal Bypass (CVE-2021...

CVE-2021-37712 let malicious tar archives bypass node-tar's symlink protections on Windows via junctions, enabling path traversal during npm installs. Here's what to patch.

Dec 2, 20258 min read
Open Source Security (Page 12) — Supply Chain Security Blog | Safeguard