This page contains security advisories and CVEs that I have reported and contributed to as an individual security researcher in my personal capacity. Typically, if I find something I also fix it.
A Denial of Service (DoS) vulnerability was discovered in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash — especially in containerized or memory-constrained environments.
The issue has been fixed in version 1.12.2. I provided the fix in PR #7296.
The library fails to enforce configured size limits on incoming request bodies when Transfer-Encoding: chunked is used or when no Content-Length header is provided. A remote attacker can send a chunked request without the terminating zero-length chunk, causing uncontrolled memory allocation on the server. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness.
The issue has been fixed in version 0.20.1. I provided the fix in commit 7b752106ac42bd5b907793950d9125a0972c8e8e.
A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges.
The issue has been fixed in version 1.9.6.
A Cross-Site Scripting (XSS) vulnerability exists in Beego's RenderForm() function due to improper HTML escaping of user-controlled data. This vulnerability allows attackers to inject malicious JavaScript code that executes in victims' browsers, potentially leading to session hijacking, credential theft, or account takeover. The vulnerability affects any application using Beego's RenderForm() function with user-provided data. Since it is a high-level function generating an entire form markup, many developers would assume it automatically escapes attributes (the way most frameworks do).
The issue has been fixed in version 2.3.6. I provided the fix in commit 939bb18c66406466715ddadd25dd9ffa6f169e25.
If the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree (AST) node for each part of the expression. In scenarios where input size isn't limited, a malicious or inadvertent extremely large expression can consume excessive memory as the parser builds a huge AST. This can ultimately lead to excessive memory usage and an Out-Of-Memory (OOM) crash of the process.
The issue has been fixed in version 1.17.0. I provided the fix in PR #762.
A Denial of Service (DoS) vulnerability in the authentication middleware allows any client to cause memory exhaustion by sending large request bodies.
The issue has been fixed in version 0.44.0.