GitHub Security Lab

Find the GitHub Security Lab now on LinkedIn, Mastodon and Bluesky! 👇

Bluesky: bsky.app/profile/securi…

Mastodon: @GitHubSecurityLab" target="_blank" rel="nofollow noopener">infosec.exchange/@GitHubSecurit…

Find the GitHub Security Lab now on LinkedIn, Mastodon and Bluesky! 👇

GHSL-2024-323: Denial of Service (DoS) in snapcraft securitylab.github.com/advisories/GHS…

GHSL-2024-296: Deserialization of untrusted data in Kykms securitylab.github.com/advisories/GHS…

GHSL-2024-273: ReDoS in remove_html_tags of Gradio securitylab.github.com/advisories/GHS…

Last year, I committed to uncovering critical vulnerabilities in Maven repositories. Now it’s time to share the findings: RCE in Sonatype Nexus, Cache Poisoning in JFrog Artifactory, and more! Read it all below 🧵

GHSL-2024-327: Poisoned Pipeline Execution (PPE) in Microsoft FluentUI securitylab.github.com/advisories/GHS…

GHSL-2024-254: Poisoned Pipeline Execution (PPE) in Amplification leading to potential acccount takeover securitylab.github.com/advisories/GHS…

How to secure your GitHub Actions workflows with CodeQL. Dive into this actionable supply chain security research from @pwntester . This work resulted in dozens of high impact supply chain findings and, most importantly, added CodeQL support for your GitHub workflows! github.blog/security/appli…

Ever wanted to learn fuzzing?!?! 🐛 Me and some other folks at @pbrucla recently ran a project where we taught folks about the basics of fuzzing with Honggfuzz. 👀 Some fun activities inspired by the Fuzzing101 repo from the folks at @GHSecurityLab! 🤗 github.com/pbrucla/fuzzin…

GHSL-2024-303: Code execution in trusted context via a GitHub Action of Tribler securitylab.github.com/advisories/GHS…

GHSL-2024-173: Environment Variable injection in a Feign GitHub Actions workflow securitylab.github.com/advisories/GHS…

🎉 Excited to announce the launch of CodeQL Community Packs for Security teams and researchers! 🚀 Supercharge your code analysis with new Query, Model, and Library packs, to find more vulnerabilities, accelerate codebases audit, and secure code effortlessly. github.blog/security/vulne…

GHSL-2024-091_GHSL-2024-092: DNS rebinding attacks against Home-gallery - CVE-2024-53275, CVE-2024-53276 securitylab.github.com/advisories/GHS…

GHSL-2024-075_GHSL-2024-076: Stored Cross-Site Scripting (XSS) and Remote Code Execution (RCE) via Velocity Template Evaluation in Sonatype Nexus 2 securitylab.github.com/advisories/GHS…

GHSL-2024-072_GHSL-2024-074: Stored Cross-Site Scripting (XSS), Arbitrary File Upload, and Arbitrary File Read/Write via Path Traversal in Reposilite - CVE-2024-36115, CVE-2024-36116, CVE-2024-36117 securitylab.github.com/advisories/GHS…

A new free tier of GitHub Copilot in @code. ✅ 2,000 code completions per month 💬 50 chat messages per month 💫 Models like Claude 3.5 Sonnet or GPT-4o ♥️ More fun for you Check it out today! Oh yeah, and we passed 150M developers on GitHub 💅 github.blog/news-insights/…

🎉 You can now enable code scanning in your GitHub Actions workflow files! ✅ By opting-in to this feature, you can enhance the security of repositories using GitHub Actions. github.blog/changelog/2024…