Overview
Description
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.
Statistics
- 1 Post
- 2 Interactions
Last activity: 22 hours ago
Overview
- Go standard library
- encoding/pem
- encoding/pem
29 Oct 2025
Published
04 Nov 2025
Updated
CVSS
Pending
EPSS
0.03%
KEV
Description
The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.
Statistics
- 1 Post
- 2 Interactions
Last activity: 22 hours ago
Overview
- Go standard library
- archive/tar
- archive/tar
29 Oct 2025
Published
04 Nov 2025
Updated
CVSS
Pending
EPSS
0.01%
KEV
Description
tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.
Statistics
- 1 Post
- 2 Interactions
Last activity: 22 hours ago
Overview
- Go standard library
- net/url
- net/url
29 Oct 2025
Published
04 Nov 2025
Updated
CVSS
Pending
EPSS
0.02%
KEV
Description
The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.
Statistics
- 1 Post
- 2 Interactions
Last activity: 22 hours ago
Overview
- Go standard library
- crypto/x509
- crypto/x509
29 Oct 2025
Published
04 Nov 2025
Updated
CVSS
Pending
EPSS
0.01%
KEV
Description
Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.
Statistics
- 1 Post
- 1 Interaction
Last activity: 22 hours ago
Overview
Description
In KDE Krita before 5.2.13, loading a manipulated TGA file could result in a heap-based buffer overflow in plugins/impex/tga/kis_tga_import.cpp (aka KisTgaImport). Control flow proceeds even when a number of pixels becomes negative.
Statistics
- 1 Post
- 1 Interaction
Last activity: 21 hours ago
Overview
- Go standard library
- crypto/tls
- crypto/tls
29 Oct 2025
Published
04 Nov 2025
Updated
CVSS
Pending
EPSS
0.02%
KEV
Description
When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.
Statistics
- 1 Post
- 1 Interaction
Last activity: 22 hours ago
Overview
Description
In the Linux kernel, the following vulnerability has been resolved:
pidfs: validate extensible ioctls
Validate extensible ioctls stricter than we do now.
Statistics
- 1 Post
- 1 Interaction
Last activity: 3 hours ago
Overview
Description
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.
Statistics
- 1 Post
- 1 Interaction
Last activity: 22 hours ago
Overview
Description
A flaw was found in the ABRT daemonβs handling of user-supplied mount information.ABRT copies up to 12 characters from an untrusted input and places them directly into a shell command (docker inspect %s) without proper validation. An unprivileged local user can craft a payload that injects shell metacharacters, causing the root-running ABRT process to execute attacker-controlled commands and ultimately gain full root privileges.
Statistics
- 2 Posts
Last activity: 17 hours ago
Bluesky
π Detailed #Fedora 43 Security Advisory: CVE-2025-12744
The abrt tool patch is more than a routine update Read more:π tinyurl.com/5y6prrda #Security