Chris Grieger
@eternalkyu.bsky.social
Bug bounty hunter, security researcher and CEO @ www.blueredix.com
I discovered two XSS flaws in mermaid (JS diagram library) last month. The advisories got published today.
CVE-2025-54880 (github.com/mermaid-js/m...)
CVE-2025-54881 (github.com/mermaid-js/m...)
#xss #bugbounty
CVE-2025-54880 (github.com/mermaid-js/m...)
CVE-2025-54881 (github.com/mermaid-js/m...)
#xss #bugbounty
Improper sanitization of architecture diagram iconText leads to XSS
### Summary
In the default configuration of mermaid 11.9.0, user supplied input for architecture diagram icons is passed to the d3 `html()` method, creating a sink for cross site scripting.
###...
github.com
August 19, 2025 at 6:47 PM
I discovered two XSS flaws in mermaid (JS diagram library) last month. The advisories got published today.
CVE-2025-54880 (github.com/mermaid-js/m...)
CVE-2025-54881 (github.com/mermaid-js/m...)
#xss #bugbounty
CVE-2025-54880 (github.com/mermaid-js/m...)
CVE-2025-54881 (github.com/mermaid-js/m...)
#xss #bugbounty
Repository with a demo of Next.js CVE-2025-29927 github.com/fourcube/nex...
GitHub - fourcube/nextjs-middleware-bypass-demo: Demo for Next.js middleware bypass - CVE-2025-29927
Demo for Next.js middleware bypass - CVE-2025-29927 - fourcube/nextjs-middleware-bypass-demo
github.com
March 24, 2025 at 8:10 AM
Repository with a demo of Next.js CVE-2025-29927 github.com/fourcube/nex...
Took @agarri.fr Mastering Burp Suite Pro course last week, which was fantastic. Since the Next.js middleware bypass CVE dropped over the weekend, I decided put the new knowledge to good use. Here's a BCheck script to test for the vulnerability: gist.github.com/fourcube/45a...
Burp BCheck for CVE-2025-29927 (Next.js middleware bypass)
Burp BCheck for CVE-2025-29927 (Next.js middleware bypass) - CVE-2025-29927.bcheck
gist.github.com
March 24, 2025 at 8:01 AM
Took @agarri.fr Mastering Burp Suite Pro course last week, which was fantastic. Since the Next.js middleware bypass CVE dropped over the weekend, I decided put the new knowledge to good use. Here's a BCheck script to test for the vulnerability: gist.github.com/fourcube/45a...
Temporary AWS WAF rule as a workaround for CVE-2025-29927: gist.github.com/fourcube/db1...
Temporary AWS WAF rule as a workaround for CVE-2025-29927
Temporary AWS WAF rule as a workaround for CVE-2025-29927 - aws-waf-rule-CVE-2025-29927.json
gist.github.com
March 23, 2025 at 10:37 PM
Temporary AWS WAF rule as a workaround for CVE-2025-29927: gist.github.com/fourcube/db1...
Reposted by Chris Grieger
🛑 GIVEAWAY ALERT 🛑 ⬇️
Today we are giving away 3 seats to our training:
"Red Blue Purple AI" - March 27-28
Syllabus:
arcanuminfosec.gumroad.com/l/ygmlpe
Have up to FIVE entries to the giveaway on bsky!
📷 Share = 2 Entries
📷 Like = 1 Entry
📷 Comment = 1 Entry
📷 Follow = 1 Entries
Today we are giving away 3 seats to our training:
"Red Blue Purple AI" - March 27-28
Syllabus:
arcanuminfosec.gumroad.com/l/ygmlpe
Have up to FIVE entries to the giveaway on bsky!
📷 Share = 2 Entries
📷 Like = 1 Entry
📷 Comment = 1 Entry
📷 Follow = 1 Entries
Red Blue Purple AI - December 2024
Over the course of the last two years I've been working on a new course. My area of expertise is usually offensive security, but through my consulting, advising, and leadership roles, I've been expose...
arcanuminfosec.gumroad.com
March 19, 2025 at 3:56 PM
🛑 GIVEAWAY ALERT 🛑 ⬇️
Today we are giving away 3 seats to our training:
"Red Blue Purple AI" - March 27-28
Syllabus:
arcanuminfosec.gumroad.com/l/ygmlpe
Have up to FIVE entries to the giveaway on bsky!
📷 Share = 2 Entries
📷 Like = 1 Entry
📷 Comment = 1 Entry
📷 Follow = 1 Entries
Today we are giving away 3 seats to our training:
"Red Blue Purple AI" - March 27-28
Syllabus:
arcanuminfosec.gumroad.com/l/ygmlpe
Have up to FIVE entries to the giveaway on bsky!
📷 Share = 2 Entries
📷 Like = 1 Entry
📷 Comment = 1 Entry
📷 Follow = 1 Entries