Overview
Description
Statistics
- 7 Posts
Fediverse
Codex CLI Silent RCE Flaw (CVE-2025-61260)
https://www.technadu.com/codex-cli-flaw-allowed-silent-remote-code-execution-through-malicious-repository-configurations/614994/
• Repo configs auto-executed MCP commands
• Backdoors via commit/PR access
• CI & developer endpoints at risk
• Root cause: trusted repo-level config execution
• Patched in v0.23.0
A critical reminder that AI-powered developer tools must adopt strict zero-trust defaults.
Follow us for ongoing security coverage.
#Cybersecurity #CodexCLI #RCE #AIThreats #SupplyChainSecurity #DevSecOps #InfoSec
The Codex CLI vulnerability tracked as CVE-2025-61260 can be exploited for command execution. https://www.securityweek.com/vulnerability-in-openai-coding-agent-could-facilitate-attacks-on-developers/
Bluesky
Description
Statistics
- 8 Posts
- 8 Interactions
Fediverse
🔒 Google patches two actively exploited Android zero-days (CVE-2025-48633 & CVE-2025-48572) in Dec 2025 update! High-severity info disclosure & privilege escalation flaws fixed for Android. Update now to stay safe! 📱💻
Android December security bulletin:
https://source.android.com/docs/security/bulletin/2025-12-01
Including:
Note: There are indications that the following may be under limited, targeted exploitation.
- CVE-2025-48633
- CVE-2025-48572
⚠️ Google just fixed 107 security flaws in Android — including two that hackers already used in real attacks.
The exploited bugs (CVE-2025-48633 & CVE-2025-48572) affect the Android Framework and could expose data or give attackers higher access.
Read: https://thehackernews.com/2025/12/google-patches-107-android-flaws.html
📱 Update your device as soon as the December patch is available.
Bluesky
Description
Statistics
- 8 Posts
- 8 Interactions
Fediverse
🔒 Google patches two actively exploited Android zero-days (CVE-2025-48633 & CVE-2025-48572) in Dec 2025 update! High-severity info disclosure & privilege escalation flaws fixed for Android. Update now to stay safe! 📱💻
Android December security bulletin:
https://source.android.com/docs/security/bulletin/2025-12-01
Including:
Note: There are indications that the following may be under limited, targeted exploitation.
- CVE-2025-48633
- CVE-2025-48572
⚠️ Google just fixed 107 security flaws in Android — including two that hackers already used in real attacks.
The exploited bugs (CVE-2025-48633 & CVE-2025-48572) affect the Android Framework and could expose data or give attackers higher access.
Read: https://thehackernews.com/2025/12/google-patches-107-android-flaws.html
📱 Update your device as soon as the December patch is available.
Bluesky
Description
Statistics
- 4 Posts
Bluesky
Overview
Description
Statistics
- 2 Posts
- 4 Interactions
Fediverse
I examined the patch and wrote a proof-of-concept:
https://worthdoingbadly.com/bluetooth/
My proof-of-concept is available at https://github.com/zhuowei/blueshrimp; it gets "fault addr 0x4141414141414141" on the Android Automotive emulator... once you accept the pairing request.
Overview
Description
Statistics
- 2 Posts
Fediverse
Qualcomm has detailed six high-priority vulnerabilities — including a critical secure boot flaw (CVE-2025-47372). Additional issues affect TZ Firmware, HLOS components, DSP, audio, and camera modules.
OEMs are receiving patches and users may need to check manufacturer timelines for deployment.
Follow us for more non-sensationalized security reporting.
Source: https://gbhackers.com/qualcomm-alerts-users-to-critical-flaws/
#Infosec #Qualcomm #SecureBoot #FirmwareSecurity #ThreatIntel #TechNadu #CVEs #DeviceSecurity
Overview
- Red Hat
- Red Hat OpenShift Dev Spaces
- devspaces/code-rhel9
Description
Statistics
- 1 Post
- 20 Interactions
Fediverse
lolwut
https://access.redhat.com/security/cve/CVE-2025-57850
This issue stems from the
/etc/passwdfile being created with group-writable permissions during build time.
Overview
- Cloudflare
- gokey
- github.com/cloudflare/gokey
Description
Statistics
- 1 Post
- 5 Interactions
Fediverse
Go hack more Cloudflare shit.
https://www.cve.org/CVERecord?id=CVE-2025-13353
\n \nIn gokey versions
\n<0.2.0,\n a flaw in the seed decryption logic resulted in passwords incorrectly \nbeing derived solely from the initial vector and the AES-GCM \nauthentication tag of the key seed.This issue has been fixed in gokey version
\n0.2.0. This is a breaking change. The fix has invalidated any passwords/secrets that were derived from the seed file (using the-soption). Even if the input seed file stays the same, version0.2.0gokey will generate different secrets.Impact
\nThis vulnerability impacts generated keys/secrets using a seed file as an entropy input (using the
\n-soption). Keys/secrets generated just from the master password (without the-s\n option) are not impacted. The confidentiality of the seed itself is \nalso not impacted (it is not required to regenerate the seed itself). \nSpecific impact includes:\n
\n- keys/secrets generated from a seed file may have lower entropy: it \nwas expected that the whole seed would be used to generate keys (240 \nbytes of entropy input), where in vulnerable versions only 28 bytes was \nused
\n- a malicious entity could have recovered all passwords, generated \nfrom a particular seed, having only the seed file in possession without \nthe knowledge of the seed master password
\nPatches
\nThe code logic bug has been fixed in gokey version
\n0.2.0\n and above. Due to the deterministic nature of gokey, fixed versions \nwill produce different passwords/secrets using seed files, as all seed \nentropy will be used now.System secret rotation guidance
\nIt is advised for users to regenerate passwords/secrets using the patched version of gokey (
\n0.2.0\n and above), and provision/rotate these secrets into respective systems \nin place of the old secret. A specific rotation procedure is \nsystem-dependent, but most common patterns are described below.Systems that do not require the old password/secret for rotation
\nSuch systems usually have a \"Forgot password\" facility or a\n similar facility allowing users to rotate their password/secrets by \nsending a unique \"magic\" link to the user's email or phone. In such \ncases users are advised to use this facility and input the newly \ngenerated password secret, when prompted by the system.
\nSystems that require the old password/secret for rotation
\nSuch systems usually have a modal password rotation window\n usually in the user settings section requiring the user to input the \nold and the new password sometimes with a confirmation. To \ngenerate/recover the old password in such cases users are advised to:
\n\n
\n- temporarily download gokey version 0.1.3 for their respective operating system to recover the old password
\n- use gokey version
\n0.2.0or above to generate the new password- populate the system provided password rotation form
\nSystems that allow multiple credentials for the same account to be provisioned
\nSuch systems usually require a secret or a cryptographic \nkey as a credential for access, but allow several credentials at the \nsame time. One example is SSH: a particular user may have several \nauthorized public keys configured on the SSH server for access. For such\n systems users are advised to:
\n\n
\n- generate a new secret/key/credential using gokey version
\n0.2.0or above- provision the new secret/key/credential in addition to the existing credential on the system
\n- verify that the access or required system operation is still possible with the new secret/key/credential
\n- revoke authorization for the existing/old credential from the system
\nCredit
\nThis vulnerability was found by Théo Cusnir (@mister_mime) and responsibly disclosed through Cloudflare's bug bounty program.
\n \n
Overview
Description
Statistics
- 3 Posts
- 5 Interactions
Overview
Description
Statistics
- 1 Post
- 3 Interactions