CVE-2025-9624: Nested Boolean/Disjunction Asymmetric DoS in Amazon's OpenSearch query_string - Chick
2025-11-25
How I found CVE-2025-9624, an asymmetric Denial of Service in Amazon's OpenSearch's query_string handling, and how it was fixed with search.query.max_query_string_length.
648 words
|
3 minutes
The Obsolescence of SSL Pinning in Mobile App Security
2025-09-01
This blog post is dense and time-consuming to read in full.If you just need the essentials:
4165 words
|
21 minutes
CVE-2025-9375: XML Injection Vulnerability in xmltodict 0.14.2 - Mono
2025-08-25
I discovered an XML Injection vulnerability in xmltodict version 0.14.2, a popular Python library with over 1.5 million weekly downloads on PyPI. This vulnerability allows attackers to inject arbitrary XML markup through crafted dictionary keys, potentially leading to XML structure manipulation, data corruption, and in web contexts, cross-site scripting (XSS) attacks.
691 words
|
3 minutes
CVE-2025-7969: Markdown-it Fence Rendering XSS - Fito
2025-08-20
Markdown-it 14.1.0 contains an XSS vulnerability (CVE-2025-7969) that enables arbitrary JavaScript execution through a fence rendering bypass. This post provides a technical deep dive into the vulnerability, exploitation techniques, and real-world impact scenarios.
1048 words
|
5 minutes
CVE-2025-8101: Linkify.js Prototype Pollution & XSS - Charly
2025-07-26
Linkify.js 4.3.1 contains a prototype pollution vulnerability (CVE-2025-8101) that enables remote code execution through XSS. This post provides a technical deep dive into the vulnerability, exploitation techniques, and real-world impact scenarios.
730 words
|
4 minutes
