vulnerability-analysis
Safeguard articles tagged "vulnerability-analysis" — guides, analysis, and best practices for software supply chain and application security.
360 articles
cross-spawn ReDoS vulnerability (CVE-2024-21538)
CVE-2024-21538 is a ReDoS flaw in the widely-used cross-spawn npm package. Learn the impact, CVSS/EPSS context, and how to remediate it.
Express.js open redirect vulnerability (CVE-2024-29041)
CVE-2024-29041 lets attackers weaponize Express.js redirects for phishing. See affected versions, CVSS/EPSS data, and how to remediate fast.
http-cache-semantics ReDoS vulnerability (CVE-2022-25881)
CVE-2022-25881 lets attacker-influenced HTTP responses trigger catastrophic regex backtracking in http-cache-semantics, hanging Node.js services. Here's how to detect and fix it.
Python requests library proxy-auth credential leak (CVE-2023-32681)
CVE-2023-32681 lets Python's requests library leak Proxy-Authorization credentials to destination servers on HTTPS redirects. Here's the impact, timeline, and fix.
urllib3 regular expression denial of service (CVE-2021-33503)
A deep dive into CVE-2021-33503, the urllib3 ReDoS flaw in Python's core HTTP library, its real-world exposure, and how to remediate it.
urllib3 cookie/auth header leak on cross-origin redirect (CVE-2023-43804)
CVE-2023-43804 lets urllib3 leak Cookie headers on cross-origin redirects. See affected versions, severity context, and how to remediate fast.
PyYAML full_load unsafe deserialization arbitrary code execution (CVE-2020-14343)
CVE-2020-14343 shows PyYAML's full_load/FullLoader "safe" fix was incomplete, enabling arbitrary code execution. Here's the fix and how to detect exposure.
IPython crafted directory code execution (CVE-2022-21699)
CVE-2022-21699 lets attackers plant crafted profile files in shared directories, triggering silent code execution when victims launch IPython or Jupyter sessions.
Python urllib.parse NFKC normalization blocklist bypass (CVE-2023-24329)
CVE-2023-24329 let attackers bypass URL blocklists via leading blank characters in Python's urllib.parse, enabling SSRF and filter evasion.
Python mailcap insecure shell command construction (CVE-2015-20107)
Python mailcap shell injection (CVE-2015-20107) lets attackers run arbitrary commands via unescaped filenames. Here is how to detect and fix it.
Python tarfile extraction path traversal, the 15-year-old flaw (CVE-2007-4559)
CVE-2007-4559, a path traversal flaw in Python's tarfile module, still lurks in hundreds of thousands of repos. Here's the impact, timeline, and fix.
Python email module address-parsing confusion (CVE-2023-27043)
CVE-2023-27043 shows how a Python email-parsing quirk lets attackers spoof trusted domains and bypass allowlist-based access controls silently.