Clik here to view.
Attacks on Maven proxy repositories
As someone who’s been breaking the security of Java applications for many years, I was always curious about the supply chain attacks on Java libraries. In 2019, I accidentally discovered an arbitrary...
View ArticleClik here to view.
Cybersecurity researchers: Digital detectives in a connected world
Have you ever considered yourself a detective at heart? Cybersecurity researchers are digital detectives, uncovering vulnerabilities before malicious actors exploit them. To succeed, they adopt the...
View ArticleClik here to view.
Sign in as anyone: Bypassing SAML SSO authentication with parser differentials
Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. Attackers who are in possession of a single valid signature that was...
View ArticleClik here to view.
A maintainer’s guide to vulnerability disclosure: GitHub tools to make it simple
Imagine this: You’re sipping your morning coffee and scrolling through your emails, when you spot it—a vulnerability report for your open source project. It’s your first one. Panic sets in. What does...
View ArticleClik here to view.
How to request a change to a CVE record
Ever come across a Common Vulnerabilities and Exposures (CVE) ID affecting software you use or maintain and thought the information could be better? CVE IDs are a widely-used system for tracking...
View ArticleCutting through the noise: How to prioritize Dependabot alerts
Let’s be honest: that flood of security alerts in your inbox can feel completely overwhelming. We’ve been there too. As a developer advocate and a product manager focused on security at GitHub, we’ve...
View ArticleClik here to view.
Bypassing MTE with CVE-2025-0072
Memory Tagging Extension (MTE) is an advanced memory safety feature that is intended to make memory corruption vulnerabilities almost impossible to exploit. But no mitigation is ever completely...
View ArticleCVE-2025-53367: An exploitable out-of-bounds write in DjVuLibre
DjVuLibre version 3.5.29 was released today. It fixes CVE-2025-53367 (GHSL-2025-055), an out-of-bounds (OOB) write in the MMRDecoder::scanruns method. The vulnerability could be exploited to gain code...
View ArticleClik here to view.
How to catch GitHub Actions workflow injections before attackers do
You already know that security is important to keep in mind when creating code and maintaining projects. Odds are, you also know that it’s much easier to think about security from the ground up rather...
View ArticleClik here to view.
Safeguarding VS Code against prompt injections
The Copilot Chat extension for VS Code has been evolving rapidly over the past few months, adding a wide range of new features. Its new agent mode lets you use multiple large language models (LLMs),...
View Article