Checkmarx Zero
@checkmarxzero.bsky.social
Specializing in breaking and protecting the building blocks of modern software development. From traditional #AppSec, through #opensource #SupplyChain threats, to #LLM security. https://checkmarx.com/zero/
☔️ #LastWeekInAppSec (Nov 11) highlights two low-severity issues with interesting implications for real-world #AppSec and #DevSecOps.
🔗 buff.ly/wN1crc3
🧵1/4
🔗 buff.ly/wN1crc3
🧵1/4
November 11, 2025 at 3:42 PM
☔️ #LastWeekInAppSec (Nov 11) highlights two low-severity issues with interesting implications for real-world #AppSec and #DevSecOps.
🔗 buff.ly/wN1crc3
🧵1/4
🔗 buff.ly/wN1crc3
🧵1/4
🚨 Critical #Django #Vulnerability 🚨
CVE-2025-64459 (CVSSv3 9.1) → buff.ly/kfcbY7e
A newly disclosed flaw affects:
• 5.1 (< 5.1.14)
• 4.2 (< 4.2.26)
• 5.2 (< 5.2.8)
#AppSec #Python #WebSecurity 🧵1/5
CVE-2025-64459 (CVSSv3 9.1) → buff.ly/kfcbY7e
A newly disclosed flaw affects:
• 5.1 (< 5.1.14)
• 4.2 (< 4.2.26)
• 5.2 (< 5.2.8)
#AppSec #Python #WebSecurity 🧵1/5
November 7, 2025 at 4:23 PM
🚨 Critical #Django #Vulnerability 🚨
CVE-2025-64459 (CVSSv3 9.1) → buff.ly/kfcbY7e
A newly disclosed flaw affects:
• 5.1 (< 5.1.14)
• 4.2 (< 4.2.26)
• 5.2 (< 5.2.8)
#AppSec #Python #WebSecurity 🧵1/5
CVE-2025-64459 (CVSSv3 9.1) → buff.ly/kfcbY7e
A newly disclosed flaw affects:
• 5.1 (< 5.1.14)
• 4.2 (< 4.2.26)
• 5.2 (< 5.2.8)
#AppSec #Python #WebSecurity 🧵1/5
BleepingComputer reports a new malware campaign (#SesameOp) abusing #OpenAI APIs as a #C2 channel — turning AI assistants into control and exfiltration tools.
buff.ly/4ay9Kvz
#AIsecurity #CyberSecurity #AppSec #ThreatIntel 🧵1/3
buff.ly/4ay9Kvz
#AIsecurity #CyberSecurity #AppSec #ThreatIntel 🧵1/3
Microsoft: SesameOp malware abuses OpenAI Assistants API in attacks
Microsoft security researchers have discovered a new backdoor malware that uses the OpenAI Assistants API as a covert command-and-control channel.
www.bleepingcomputer.com
November 5, 2025 at 3:42 PM
BleepingComputer reports a new malware campaign (#SesameOp) abusing #OpenAI APIs as a #C2 channel — turning AI assistants into control and exfiltration tools.
buff.ly/4ay9Kvz
#AIsecurity #CyberSecurity #AppSec #ThreatIntel 🧵1/3
buff.ly/4ay9Kvz
#AIsecurity #CyberSecurity #AppSec #ThreatIntel 🧵1/3
What breaches orgs say: “it was a highly skilled attack by an advanced threat”
What actually happened: www.pcgamer.com/software/sec...
What actually happened: www.pcgamer.com/software/sec...
Post-heist reports reveal the password for the Louvre's video surveillance was 'Louvre,' and suddenly the dumpster-tier opsec of videogame NPCs seems a lot less absurd
Is leaving the safe combination on a post-it note that much worse?
www.pcgamer.com
November 5, 2025 at 12:26 PM
What breaches orgs say: “it was a highly skilled attack by an advanced threat”
What actually happened: www.pcgamer.com/software/sec...
What actually happened: www.pcgamer.com/software/sec...
☔️ #LastWeekInAppSec: Two major regressions hit key #DevOps tools this week — both with real potential for impact in enterprise environments. 🔗 buff.ly/REjgAW4 🧵1/4
November 4, 2025 at 10:08 PM
☔️ #LastWeekInAppSec: Two major regressions hit key #DevOps tools this week — both with real potential for impact in enterprise environments. 🔗 buff.ly/REjgAW4 🧵1/4
Seen the news about #PhantomRaven, the NPM malware campaign? Good news: Our Malicious Package Identification API already identifies relevant packages as malicious (see image for one example), and our Malicious Package Protection component has been flagging them during SCA scans. 🧵1/2
November 4, 2025 at 3:50 PM
Seen the news about #PhantomRaven, the NPM malware campaign? Good news: Our Malicious Package Identification API already identifies relevant packages as malicious (see image for one example), and our Malicious Package Protection component has been flagging them during SCA scans. 🧵1/2
🚨 A CVSSv3=10.0 #Vulnerability 🚨 in #DNN (Formerly DotNetNuke) versions prior to 10.1.1 allows unauthenticated users to upload files, even overwriting website assets and other critical components. This is a "the front door is unlocked" situation
CVE-2025-64095 -- buff.ly/UdKZLPl 🧵1/3
CVE-2025-64095 -- buff.ly/UdKZLPl 🧵1/3
October 30, 2025 at 9:08 PM
🚨 A CVSSv3=10.0 #Vulnerability 🚨 in #DNN (Formerly DotNetNuke) versions prior to 10.1.1 allows unauthenticated users to upload files, even overwriting website assets and other critical components. This is a "the front door is unlocked" situation
CVE-2025-64095 -- buff.ly/UdKZLPl 🧵1/3
CVE-2025-64095 -- buff.ly/UdKZLPl 🧵1/3
#Vulnerability alert: Python's `langgraph‑checkpoint‑sqlite` version 2.0.10 — a component of the #langchain #AI project — is vulnerable to SQL injection in filter operators ($eq, $ne, $gt, $lt, $gte, $lte) due to unsafe string concatenation. Update to version 2.0.11 buff.ly/AjRM91E
October 30, 2025 at 2:42 PM
#Vulnerability alert: Python's `langgraph‑checkpoint‑sqlite` version 2.0.10 — a component of the #langchain #AI project — is vulnerable to SQL injection in filter operators ($eq, $ne, $gt, $lt, $gte, $lte) due to unsafe string concatenation. Update to version 2.0.11 buff.ly/AjRM91E
#Vulnerability: A path traversal in #ApacheTomcat (CVE-2025-55752, #CVSS v3=7.5) allows attackers to gain access to protected URLs including `/WEB-INF/` and `/META-INF/` paths. If PUT method is enabled, this issue could in some cases lead to remote command execution buff.ly/xpnvts6
October 29, 2025 at 9:08 PM
#Vulnerability: A path traversal in #ApacheTomcat (CVE-2025-55752, #CVSS v3=7.5) allows attackers to gain access to protected URLs including `/WEB-INF/` and `/META-INF/` paths. If PUT method is enabled, this issue could in some cases lead to remote command execution buff.ly/xpnvts6
🗞️ This week in #AppSec: a batch of fresh vulnerabilities you may have missed — including multiple high-impact issues in #GitLab and a serious #CSRF flaw in #ApacheGeode. Full details, fixes, and detection tips 👉 buff.ly/slk16bD
#ApplicationSecurity #Infosec #CyberSecurity #DevSecOps 🧵1/7
#ApplicationSecurity #Infosec #CyberSecurity #DevSecOps 🧵1/7
October 28, 2025 at 2:42 PM
🗞️ This week in #AppSec: a batch of fresh vulnerabilities you may have missed — including multiple high-impact issues in #GitLab and a serious #CSRF flaw in #ApacheGeode. Full details, fixes, and detection tips 👉 buff.ly/slk16bD
#ApplicationSecurity #Infosec #CyberSecurity #DevSecOps 🧵1/7
#ApplicationSecurity #Infosec #CyberSecurity #DevSecOps 🧵1/7
🥷 If you’re using #dotNET Core’s web server components, know about CVE-2025-55315 — an HTTP Request Smuggling vulnerability rated #CVSS 9.9.
Severity depends on how your apps handle requests, so calculate your environmental score carefully.
buff.ly/QHRV8ht
🧵1/5
Severity depends on how your apps handle requests, so calculate your environmental score carefully.
buff.ly/QHRV8ht
🧵1/5
October 24, 2025 at 9:08 PM
🥷 If you’re using #dotNET Core’s web server components, know about CVE-2025-55315 — an HTTP Request Smuggling vulnerability rated #CVSS 9.9.
Severity depends on how your apps handle requests, so calculate your environmental score carefully.
buff.ly/QHRV8ht
🧵1/5
Severity depends on how your apps handle requests, so calculate your environmental score carefully.
buff.ly/QHRV8ht
🧵1/5
The #Magento / #AdobeECommerce vulnerability known as #SessionReaper (CVE-2025-54236) is being actively exploited, with ThreatRadar reporting that over 250 #eCommerce stores have been compromised via this vector. buff.ly/h695yjT
Over 250 Magento Stores Hit Overnight as Hackers Exploit New Adobe Commerce Flaw - Live Threat Intelligence - Threat Radar | OffSeq.com
Detailed information about Over 250 Magento Stores Hit Overnight as Hackers Exploit New Adobe Commerce Flaw. Get real-time updates, technical details, and mitig
radar.offseq.com
October 24, 2025 at 2:54 PM
The #Magento / #AdobeECommerce vulnerability known as #SessionReaper (CVE-2025-54236) is being actively exploited, with ThreatRadar reporting that over 250 #eCommerce stores have been compromised via this vector. buff.ly/h695yjT
Ready for a new Branded Vulnerability™? #TARmageddon (CVE-2025-62518) affects the #Rust ecosystem's may forks of `async-tar`; it's a parsing bug for the .tar file format that allows all kinds of shenanigans: at worst even #RCE (Remote Code Execution).
#CyberSecurity #SupplyChainSecurity #SCA
#CyberSecurity #SupplyChainSecurity #SCA
October 23, 2025 at 8:00 PM
Ready for a new Branded Vulnerability™? #TARmageddon (CVE-2025-62518) affects the #Rust ecosystem's may forks of `async-tar`; it's a parsing bug for the .tar file format that allows all kinds of shenanigans: at worst even #RCE (Remote Code Execution).
#CyberSecurity #SupplyChainSecurity #SCA
#CyberSecurity #SupplyChainSecurity #SCA
It's #LastWeekInAppSec time! Access control bypasses in #Python's #Authlib (#OAuth and #OpenID) and Java's #SpringFramework (#CSRF protection failure).
See buff.ly/ZUloV61 for deeper analysis, mitigation steps, etc.
#AppSec #VulnManagement #CyberSecurity #SupplyChainSecurity
See buff.ly/ZUloV61 for deeper analysis, mitigation steps, etc.
#AppSec #VulnManagement #CyberSecurity #SupplyChainSecurity
Last Week in AppSec for 21. October 2025 - Checkmarx
Access control bypasses in Python's Authlib (OAuth and OpenID) and Java's Spring Framework (CSRF protection failure), last week in AppSec
buff.ly
October 21, 2025 at 9:08 PM
It's #LastWeekInAppSec time! Access control bypasses in #Python's #Authlib (#OAuth and #OpenID) and Java's #SpringFramework (#CSRF protection failure).
See buff.ly/ZUloV61 for deeper analysis, mitigation steps, etc.
#AppSec #VulnManagement #CyberSecurity #SupplyChainSecurity
See buff.ly/ZUloV61 for deeper analysis, mitigation steps, etc.
#AppSec #VulnManagement #CyberSecurity #SupplyChainSecurity
🚨 High-severity vulnerability in #Strapi (CVE-2024-56143) allows attackers to access private fields – including admin passwords and reset tokens. This can lead to full instance compromise if your API is exposed. If you're using 5.x versions, update to 5.5.2 or later.
Authorization Bypass Through User-Controlled Key - CVE-2024-56143 - DevHub
Strapi is an open-source headless content management system. In versions from 5.0.0 to before 5.5.2, the lookup operator provided by the document service does not properly sanitize query parameters…
buff.ly
October 17, 2025 at 2:37 PM
🚨 High-severity vulnerability in #Strapi (CVE-2024-56143) allows attackers to access private fields – including admin passwords and reset tokens. This can lead to full instance compromise if your API is exposed. If you're using 5.x versions, update to 5.5.2 or later.
It's #LastWeekInAppSec time again! A use-after-free in #Poppler, a #PDF rendering library; and an IDOR in a Liferay web portal that leaks #PII. Summary below, details at buff.ly/hgQ32r9
#AppSec #CyberSecurity #SupplyChainSecurity #OpenSourceSecurity #OpenSource #CVE #Vulnerability
#AppSec #CyberSecurity #SupplyChainSecurity #OpenSourceSecurity #OpenSource #CVE #Vulnerability
Last Week In AppSec for 14. October 2025 - Checkmarx
Poppler PDF library has use-after-free on write; Liferay web platform leaks user address data due to IDOR. Learn about the issues, impacts, and remediation steps (last week in AppSec for 2025-10-14)
buff.ly
October 15, 2025 at 2:42 PM
It's #LastWeekInAppSec time again! A use-after-free in #Poppler, a #PDF rendering library; and an IDOR in a Liferay web portal that leaks #PII. Summary below, details at buff.ly/hgQ32r9
#AppSec #CyberSecurity #SupplyChainSecurity #OpenSourceSecurity #OpenSource #CVE #Vulnerability
#AppSec #CyberSecurity #SupplyChainSecurity #OpenSourceSecurity #OpenSource #CVE #Vulnerability
Use the popular `check-branches` NPM package in your CI? This tool checks for conflicts with other git branches, but it treats branch names as safe when passing to `git` commands, leading to command injection buff.ly/q3yjuvM (CVSSv4 9.3).
#CICD #SupplyChainSecurity #ApplicationSecurity
#CICD #SupplyChainSecurity #ApplicationSecurity
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - CVE-2025-11148 - DevHub
All versions of the package check-branches are vulnerable to Command Injection check-branches is a command-line tool that is interacted with locally, or via CI, to confirm no conflicts exist in git…
devhub.checkmarx.com
October 8, 2025 at 9:08 PM
Use the popular `check-branches` NPM package in your CI? This tool checks for conflicts with other git branches, but it treats branch names as safe when passing to `git` commands, leading to command injection buff.ly/q3yjuvM (CVSSv4 9.3).
#CICD #SupplyChainSecurity #ApplicationSecurity
#CICD #SupplyChainSecurity #ApplicationSecurity
📢 ACTIVE VULNERABILITY 🚨 Fortra is warning that their #GoAnywhere Managed File Transfer (#MFT) system has a serious flaw that can allow attackers to inject commands. Requires a forged or valid license, but that's not a very high bar.
#CyberSecurity #DevSecOps #SupplyChainSecurity 🧵1/2
#CyberSecurity #DevSecOps #SupplyChainSecurity 🧵1/2
Deserialization Vulnerability in GoAnywhere MFT's License Servlet
A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object,…
www.fortra.com
October 8, 2025 at 8:06 PM
📢 ACTIVE VULNERABILITY 🚨 Fortra is warning that their #GoAnywhere Managed File Transfer (#MFT) system has a serious flaw that can allow attackers to inject commands. Requires a forged or valid license, but that's not a very high bar.
#CyberSecurity #DevSecOps #SupplyChainSecurity 🧵1/2
#CyberSecurity #DevSecOps #SupplyChainSecurity 🧵1/2
In this week's #LastWeekInAppSec (07. Oct 2025): Django allowing SQLi when backed by MySQL or MariaDB; FreshRSS letting anyone self-register as an admin. buff.ly/6aRh6uN
#InfoSec #CyberSecurity #WebSecurity #DevSecOps #VulnerabilityManagement #SQLi #Django #FreshRSS #PatchManagement #CVE
#InfoSec #CyberSecurity #WebSecurity #DevSecOps #VulnerabilityManagement #SQLi #Django #FreshRSS #PatchManagement #CVE
checkmarx.com
October 7, 2025 at 2:42 PM
In this week's #LastWeekInAppSec (07. Oct 2025): Django allowing SQLi when backed by MySQL or MariaDB; FreshRSS letting anyone self-register as an admin. buff.ly/6aRh6uN
#InfoSec #CyberSecurity #WebSecurity #DevSecOps #VulnerabilityManagement #SQLi #Django #FreshRSS #PatchManagement #CVE
#InfoSec #CyberSecurity #WebSecurity #DevSecOps #VulnerabilityManagement #SQLi #Django #FreshRSS #PatchManagement #CVE
🚨 ALERT: Malicious #NPM package 🚨 `@lanyer640/mcp-runcommand-server` disguises itself as a legitimate MCP server but spawns a hidden interactive shell to IP 45[.]115.38.27 when executed.
We also Reported this package to NPM.
#Malware #OpenSource #DevOps #DevSecOps #ApplicationSecurity #AppSec 🧵1/2
We also Reported this package to NPM.
#Malware #OpenSource #DevOps #DevSecOps #ApplicationSecurity #AppSec 🧵1/2
October 1, 2025 at 4:59 PM
🚨 ALERT: Malicious #NPM package 🚨 `@lanyer640/mcp-runcommand-server` disguises itself as a legitimate MCP server but spawns a hidden interactive shell to IP 45[.]115.38.27 when executed.
We also Reported this package to NPM.
#Malware #OpenSource #DevOps #DevSecOps #ApplicationSecurity #AppSec 🧵1/2
We also Reported this package to NPM.
#Malware #OpenSource #DevOps #DevSecOps #ApplicationSecurity #AppSec 🧵1/2
🔒 Three new #OpenSSL CVEs today:
• CVE-2025-9230 OOB read/write (CMS decrypt)
• CVE-2025-9231 SM2 side-channel (ARM64)
• CVE-2025-9232 OOB read (HTTP client)
Fixes in 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18. Update now.
Details: www.openssl.org/news/secadv/...
#AppSec #SupplyChainSecurity #OpenSource
• CVE-2025-9230 OOB read/write (CMS decrypt)
• CVE-2025-9231 SM2 side-channel (ARM64)
• CVE-2025-9232 OOB read (HTTP client)
Fixes in 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18. Update now.
Details: www.openssl.org/news/secadv/...
#AppSec #SupplyChainSecurity #OpenSource
September 30, 2025 at 11:41 PM
🔒 Three new #OpenSSL CVEs today:
• CVE-2025-9230 OOB read/write (CMS decrypt)
• CVE-2025-9231 SM2 side-channel (ARM64)
• CVE-2025-9232 OOB read (HTTP client)
Fixes in 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18. Update now.
Details: www.openssl.org/news/secadv/...
#AppSec #SupplyChainSecurity #OpenSource
• CVE-2025-9230 OOB read/write (CMS decrypt)
• CVE-2025-9231 SM2 side-channel (ARM64)
• CVE-2025-9232 OOB read (HTTP client)
Fixes in 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18. Update now.
Details: www.openssl.org/news/secadv/...
#AppSec #SupplyChainSecurity #OpenSource
Got 3 minutes? Catch up on the #AppSec news you might have missed #LastWeekInAppSec : buff.ly/dR3PQZJ
This week: go-mail #opensource library has SMTP injection; Rancher subject to SAML flow abuse in Manager & CLI. Read for full details including remediation and mitigation advice. #DevSecOps 🧵1/5
This week: go-mail #opensource library has SMTP injection; Rancher subject to SAML flow abuse in Manager & CLI. Read for full details including remediation and mitigation advice. #DevSecOps 🧵1/5
Last Week in AppSec for 30. September 2025 - Checkmarx
go-mail SMTP injection and Rancher SAML phishing vector with escalation of privilege: Last Week In AppSec
buff.ly
September 30, 2025 at 9:08 PM
Got 3 minutes? Catch up on the #AppSec news you might have missed #LastWeekInAppSec : buff.ly/dR3PQZJ
This week: go-mail #opensource library has SMTP injection; Rancher subject to SAML flow abuse in Manager & CLI. Read for full details including remediation and mitigation advice. #DevSecOps 🧵1/5
This week: go-mail #opensource library has SMTP injection; Rancher subject to SAML flow abuse in Manager & CLI. Read for full details including remediation and mitigation advice. #DevSecOps 🧵1/5
📢 malicious VisualStudio Code (#VSCode & #VSCodium) packages identified. Checkmarx Zero identified the packages below and reported them to Microsoft before they were widely distributed. Microsoft responded promptly and has removed them from the Visual Studio Marketplace. 🧵1/5
September 30, 2025 at 2:42 PM
📢 malicious VisualStudio Code (#VSCode & #VSCodium) packages identified. Checkmarx Zero identified the packages below and reported them to Microsoft before they were widely distributed. Microsoft responded promptly and has removed them from the Visual Studio Marketplace. 🧵1/5
Ghostscript has a stack-based buffer overflow in versions 9.* and 10.*. It’s rated only Medium, but Ghostscript underpins many PDF apps and libraries. Think of it like the “ImageMagick of PDFs.”
buff.ly/GJ7Mpfj 🧵1/3
buff.ly/GJ7Mpfj 🧵1/3
Stack-based Buffer Overflow - CVE-2025-59798 - DevHub
Artifex Ghostscript through 10.05.1 has a stack-based buffer overflow in pdf_write_cmap in devices/vector/gdevpdtw.c.
devhub.checkmarx.com
September 24, 2025 at 2:42 PM
Ghostscript has a stack-based buffer overflow in versions 9.* and 10.*. It’s rated only Medium, but Ghostscript underpins many PDF apps and libraries. Think of it like the “ImageMagick of PDFs.”
buff.ly/GJ7Mpfj 🧵1/3
buff.ly/GJ7Mpfj 🧵1/3
Reposted by Checkmarx Zero
Ori Ron and I found a cool way to attack the HITL, by convincing it to inject content and markup right after commands. Anyone would press Yes if the attackers control the question.
Using AI agents or coding assistants? You might have a LITL problem.
“Lies in the loop” can bypass defenses that rely on a human-in-the-loop check.
Learn more: buff.ly/whnCtFv 🧵1/4
#CheckmarxZero #AppSec #AI #AISecurity #MachineLearning #AIagents #SecureCoding
“Lies in the loop” can bypass defenses that rely on a human-in-the-loop check.
Learn more: buff.ly/whnCtFv 🧵1/4
#CheckmarxZero #AppSec #AI #AISecurity #MachineLearning #AIagents #SecureCoding
Bypassing AI Agent Defenses With Lies-In-The-Loop - Checkmarx
Lies-in-the-loop is a new attack that bypasses AI agent's "human-in-the-loop" defenses to run malicious code on user machines. Learn what it does and how we uncovered it.
checkmarx.com
September 15, 2025 at 2:49 PM
Ori Ron and I found a cool way to attack the HITL, by convincing it to inject content and markup right after commands. Anyone would press Yes if the attackers control the question.