cve-analysis
Safeguard articles tagged "cve-analysis" — guides, analysis, and best practices for software supply chain and application security.
134 articles
Analysis of pickle file deserialization vulnerabilities i...
CVE-2025-32434 shows PyTorch's "safe" weights_only loading could still be bypassed for code execution — a pickle deserialization vulnerability with real supply-chain consequences.
Path traversal vulnerabilities explained with real-world examples
Path traversal (CWE-22) has powered CVEs from Apache to Citrix to F5. Here's how it works, real breaches, and how to stop it.
Buffer overflow vulnerabilities explained
Buffer overflows still make MITRE's CWE Top 25 every year. Here's how they corrupt memory, real CVEs like EternalBlue and Baron Samedit, and how to stop them.
Type confusion vulnerabilities explained
Type confusion bugs let attackers corrupt memory by exploiting mismatched type assumptions. See real CVEs, how JIT engines fail, and how to catch it early.
Analysis of documented WebAssembly sandbox escape vulnera...
Real documented WASM sandbox escape cases in Wasmtime and Wasmer, covering affected versions, severity, disclosure timelines, and how to remediate.
Authentication bypass vulnerabilities explained
Authentication bypass flaws let attackers skip login entirely. See how CVE-2022-40684, CVE-2023-22515, and CVE-2021-40539 were exploited and prevented.
Algorithmic complexity denial of service explained
Small inputs, big CPU spikes: how algorithmic complexity DoS vulnerabilities like ReDoS and hash flooding crash apps with a single request.
JWT algorithm confusion / none-algorithm bypass explained
How attackers forge JWTs via RS256/HS256 key confusion and the alg:none bypass, with real CVEs, detection steps, and defenses.
XML signature wrapping attacks explained
XML signature wrapping lets attackers forge signed SOAP and SAML messages without breaking the signature. Here's how the attack works and how to stop it.
pip's Version-Based Resolution and the Origin of Dependen...
CVE-2018-20225 exposed how pip's version-based resolver lets a higher-versioned public PyPI package silently override a private one — the origin of dependency confusion attacks.
Java deserialization gadget chains explained
Java deserialization gadget chains turn trusted classpath libraries into RCE. Learn how they work, key CVEs like CVE-2015-4852, and how to detect them.
Regular expression injection explained
Regex injection lets attackers rewrite pattern logic or trigger ReDoS. See real CVEs, exploit examples, and how to detect and fix it in your code.