2024

• Authorization by nonce in WordPress plugins:
  • CVE-2024-6497 Squirrly SEO (100k+ active installations): Authenticated SQL Injection via url Parameter
  • CVE-2024-7031 Filester (60k+ active installations): Authenticated Plugin Settings Update
  • CVE-2024-8669 Backuply (200k+ active installations): Authenticated (Admin+) SQL Injection
• HTTP/2 CONTINUATION Flood A class of vulnerabilities I discovered and worked on in Q1 of 2024. Affects multiple HTTP/2 implementations:
  • amphp/http (CVE-2024-2653),
  • Apache HTTP Server (httpd) (CVE-2024-27316),
  • Apache Tomcat (CVE-2024-24549),
  • Apache Traffic Server (CVE-2024-31309),
  • Envoy proxy (CVE-2024-27919, CVE-2024-30255),
  • Golang (CVE-2023-45288),
  • h2 Rust crate,
  • IBM WebSphere (CVE-2024-27268),
  • nghttp2 (CVE-2024-28182),
  • Mozilla Firefox (CVE-2024-3302),
  • Mozilla Thunderbird (CVE-2024-3302),
  • Node.js (CVE-2024-27983),
  • Tempesta FW (CVE-2024-2758) and more.

2023

• Vulnerabilities connected to net/textproto.Reader misuse in Golang. Affected projects include Golang (CVE-2023-45290), Caddy and many others.
• HTTP Chunk Extension Processing Vulnerabilities A family of vulnerabilities I discovered in major projects including Golang (CVE-2023-39326), Node.js (CVE-2024-22019), Rust: Hyper and Rails: Puma (CVE-2024-21647). Invalid processing of HTTP chunk extensions created an amplification vector for server reads which allowed DoS attacks caused by network bandwidth or CPU exhaustion.
• CVE-2023-29406 The HTTP/1 client in Golang does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. The HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.

2021

• As a part of my work for Stellar.org Security Team I discovered a vulnerability in Trezor hardware wallet firmware affecting its Stellar client. Because of an insufficient field size check in Protobuf, an attacker could trick the user into signing a Stellar transaction moving their assets while thinking they are signing a ManageData transaction. Slides from internal presenation are available here.

2014

• XSS in Yahoo! Mail allowing to send/read email messages via clicking on a crafted link.

2013

• No authorization check in some GraphQL queries allowed accessing a list of applications installed by any Facebook user.