The first requires being able to overwrite binaries in the Swift tool directory. Yes, if you overwrite binaries executed by ghidra, you can trigger code execution. This is not a surprise.
The second, idk, I'm not familiar with TraceRMI (but it's probably worth noting that "RMI" stands for Remote Method Invocation).
The third is not a vulnerability in the slightest, they just demonstrate that native 7zip parsing code is reachable. Maybe there is a bug in the 7zip parser, but without that it's meaningless.
ofjcihen 1 hours ago [-]
Was just thinking it would be hilarious if these were all known CVEs hiding the next Shai-Hulud inside of them and waiting to compromise security hobbyists rushing to download them.
Retr0id 59 minutes ago [-]
It wouldn't be the first time!
woodruffw 1 hours ago [-]
The Gitea one looks marginally interesting, but is probably not exploitable in practice (unless Gitea or whoever else isn’t properly isolating jobs on dedicated VMs). I suspect GitHub Actions has similar behavior and is not considered exploitable because the user is assumed to already have local, non-namespaced root access.
Scaled 28 minutes ago [-]
Gitea action runner has a bunch of different ways to setup and doing the isolation properly looks tricky. The documentation doesn't provide any isolation tests to administrators, either.
The biggest mitigation is that gitea documentation discourages you from using action runners from untrusted users. Not flawless security, but it's something...
woodruffw 16 minutes ago [-]
> The biggest mitigation is that gitea documentation discourages you from using action runners from untrusted users.
This recommendation seems incompatible with third-party collaboration, at least on its face!
andrepd 2 hours ago [-]
> Yes, if you overwrite binaries executed by ghidra, you can trigger code execution.
> but it's probably worth noting that "RMI" stands for Remote Method Invocation
This reminds me of someone submitting a (clearly vibecoded) vulnerability report claiming to have found a way to execute arbitrary SQL. The project in question? An SQL server... https://github.com/tursodatabase/turso/pull/4322
charcircuit 26 minutes ago [-]
>The first requires being able to overwrite binaries in the Swift tool directory.
Does it? Or does it need to be in the same directory you invoked ghidra?
ryukoposting 2 hours ago [-]
I'm no expert on any of these programs, but that's kinda the problem, isn't it? No single person is an expert on every codebase supposedly exploited in this repo.
After a bit of research, the Firefox one seems plausible to me. But, I haven't actually tried the POC. The explanation about the private-data and untrusted-input flags is plausible but I'm not an expert on Firefox's internals, maybe that's not actually how it works.
This just sucks, all around. Are we going to need every open source project gawking at the same repo full of stuff that has nothing to do with them, on the off chance that someone discloses a vuln that does have to do with them? Is this some kind of performative complaint about high friction in responsible disclosure? Well great job dickhead, you've just made a system that's even worse. Nobody benefits from this. Yuck yuck yuck.
trinari 1 hours ago [-]
I actually prefer them being public than in some governments or corporations toolbox
DANmode 47 minutes ago [-]
> Nobody benefits from this
Disclosures always enable more secure software to theoretically exist,
even if nobody follows through creating it.
They often do.
skerit 2 hours ago [-]
I immediately saw the Ghidra one and was thinking: huh?
firefax 2 hours ago [-]
The bigger takeaway is someone that smart is pissed off and dropping their shit with zero warning... but hey, that's just like, my opinion man.
Retr0id 2 hours ago [-]
You don't need to be pissed off to decide that immediate public disclosure is the best option.
firefax 1 hours ago [-]
Ok, I don't know their emotional state. Fair point.
Maybe I'm projecting my own biases ;-)
b112 33 minutes ago [-]
Meanwhile, some dude was just playing with claude and accidentally made his repo public.
46 minutes ago [-]
zkmon 7 minutes ago [-]
AI is always a bit eager to report everything as an issue because the "number" of findings is seen as a measure of it's intelligence. Same happens with code review as well. It reports lots of non-issues. I suspect even Mythos output could have the same bloat, and the number (instead of severity) of the issues it reported could have scared people.
dpark 2 minutes ago [-]
This is not what I heard from folks who worked directly with mythos. I was told that the vulnerabilities it generated were largely real and meaningful.
dvt 47 minutes ago [-]
Went over a few of these with a pretty keen eye, and they aren't that particularly interesting. The Docker one is just a weird bug, it's not a vulnerability, and certainly not a "0-day" (which is a pretty loaded term and people expect bad stuff to happen).
The nghttp2 nghttpx one is more interesting, and could potentially be used for phishing, but it's very hard to line up properly because the request queue is non-deterministic so basically impossible to target a specific victim (assuming proxy traffic).
The VLC one is just a straight-up crash/bug. And VLC crashes all the time when using weird codecs, so that's nothing new.
Am I missing something here?
doe88 2 hours ago [-]
0-days-vibes-vulns? There should be a new category, for spotting and handling the em-dashes of this brave new world of vulns and making the old fossils like me only picking my head up for the old painfully still hand-crafted artisanal ones instead. A kind of label, like free-range for eggs, in sum.
tyre 2 hours ago [-]
Yes, big pet peeve of the new world. Every em dash is apparently an AI trigger. Back in my day, they were a sign of great respect within my people.
rogerrogerr 1 hours ago [-]
I used to be an em-dash user, but now my opinion is that I’d rather be perceived as someone who does not want to be confused with an LLM. So I’ve changed my writing style.
Wowfunhappy 35 minutes ago [-]
My feeling is that my writing doesn't sound anything like an LLM, and so if someone thinks I'm an LLM because I used an em-dash, that's on them. That, or I royally screwed up and need to do a better job as a writer. At least with today's LLMs.
brookst 24 minutes ago [-]
It’s fine to use em-dashes — just be srre to add typos.
998244353 26 minutes ago [-]
I now use "ASCII em-dashes" by using two hyphens -- like this. Or--if you prefer no spaces--like this.
rogerrogerr 23 minutes ago [-]
Nah, I’ve started noticing people doing this replacement automatically in LLM output. I just try not to write with dashes anymore.
jackp96 1 hours ago [-]
They're just so handy! I do think LLMs tend to use them in a specific way, though.
So maybe tweaking your usage (ex. no spaces around them) or using a technically incorrect en-dash might offer the desired effect while subtly signaling that your message isn't AI-generated.
I still use them — mostly for pauses — but I'd like to think my voice sounds distinct enough from an AI that people can tell.
rplnt 23 minutes ago [-]
I've only ever been using "regular" dash, a minus, for that. How do you even type yours? If I ever needed differently-sized dashes (and I don't know the difference between them) I always used wiki to copy them.
(disclaimer: I feel like this obsession with dashes is special to native English speakers, which I'm obviously not)
Syntonicles 54 minutes ago [-]
I for one am striving for clarity and couldn't care less about being confused with AI.
However I've only ever used regular dashes. How do you type an em-dash? Is it OS specific? I've taken to using Emacs insert-char with a list of frequently used ones in my scratch buffer. My memory for Unicode is unreliable.
topgrain2 18 minutes ago [-]
Keyboard layout specific. Macs with their default English layout use “option-shift-dash” which is really easy to remember (and relatively discoverable, as such things go) which is why using proper m-dashes (not just double-dashes) used to be a strong indicator a poster was using a Mac, before LLMs took the character over.
On iOS you type it by pressing dash and holding until alternative options come up, same way you type e.g. accented characters.
xp84 24 minutes ago [-]
Macs have a native way to do dashes: option- hyphen for en-dash and option shift hyphen for em-dash. On Windows there are some application-specific ways that make sense, e.g. in Office, but outside that you’re on your own and have to use the “hold alt and type the character codes” method! Or charmap.
VectorLock 47 minutes ago [-]
Code switching in the post LLM era.
sva_ 1 hours ago [-]
I propose that humans use Unicode U+2E3B three em dash ⸻ it is an impressively long character.
deadbabe 31 minutes ago [-]
let’s market it as “human dash”
And if it ever catches on with LLMs ⸻⸻ we just make it longer
nativeit 45 minutes ago [-]
I still use them frequently. On iOS you just tap the hyphen twice, and it inserts an em dash—sorta like that.
Barbing 1 hours ago [-]
I might like to see a collection of pre-2022 em-dash usage—a subset I suppose of the Low Background Steel category (https://lowbackgroundsteel.ai).
Dumblydorr 1 hours ago [-]
It’s so they don’t train on AI data, right?
sureMan6 1 hours ago [-]
You completely misunderstanding the comment feels like an AI trigger
timcobb 34 minutes ago [-]
The question is whether the m-dashes are surrounded by spaces or not. The spaces are utterly maddening. But yeah, RIP the mdash, who would have thought.
Tiberium 3 hours ago [-]
Are they all actually 0-day? I think a lot of them are from disclosed CVEs/code that were already fixed upstream. It often seems like the term "0-day" has lost most of its meaning today and people often use it to refer to any exploits.
tempest_ 3 hours ago [-]
Repo claims
> A single archive of public exploit PoCs and vulnerability research writeups. At the time I post these, none have been reported. Feel free to report them yourself and take credit for the CVE if handed out lulz. Please do not abuse these. I do this so to allure people into the field, and I've always found this is the most efficient way.
Which is roughly the definition of zero day. Whether the contents of the repo reflect the above claim is something else entirely.
tyre 2 hours ago [-]
> Please do not abuse these.
Reminds me of Jamie Wolf's joke about bestiality laws. Who are those for? What stops most people from bestiality is… not wanting to have sex with animals! For people who do want to, what, they won't because of… the law??
Who will this comment stop??
GTP 2 hours ago [-]
Well, it's a joke because the problem becomes apparent after you think a bit about it. The exact same reasonig can be applied to anything illegal, criminals are criminals because they don't respect the law, so you could try to say that laws are useless. Reality is, if something is illegal not only someone can be punished after the fact, but in some cases also preventive measures can be taken.
Regarding the comment, it isn't going to stop anyone. Most people will not do cybercrime because they're honest. Of the remaining, the risk of being sentenced to jail time will instead stop some people, even if not all of them.
BoxFour 2 hours ago [-]
Those seem like two different scenarios though, right?
The point of beastiality laws are to give society some recourse to punish people who abuse animals.
There was a very famous case back in Washington state back in the early 2000s where a group of men were sexually abusing horses. It was uncovered because one of them died, and the other could only be charged with trespassing because it wasn't illegal at the time to sexually abuse animals.
jldl805 2 hours ago [-]
The laws are to punish the act once discovered. Not to inhibit it, primarily. Which I suppose cuts down on the incidence of the act in the long run,
ElFitz 59 minutes ago [-]
That’s one school of thought. Law as a tool to punish those who have committed a prohibited act, mostly reactive.
Others consider law a way of encoding the group’s existing rules and norms.
In that view, making something illegal or mandatory is not a prerequisite for punishment: it’s the actual main point.
The threat of punishment is meant for those not deterred from an act by the simple fact it is illegal (and the threat only works if enforced).
Others put it the other way around, and see law as social engineering, a way to shape the group, either through the encoding itself of the desired behaviours in law, or through deterrence. Or both. If what one is after is either power or legitimacy, they need compliance more than punishment (can’t rule once you’ve chopped everyone’s heads off, or once the mob has put yours on a spike).
It’s also sometimes used as coordination (which side of the road we drive on).
And there’s also law as dispute resolution (if your neighbour’s hen lays an egg in your garden, who does it belong to? Yes, it’s ridiculous. Yes, some places have one or more laws for that). Which, incidentally, both requires and provides legitimacy. Funny, that.
And probably many other kinds / points of view, with many different purposes, intents, and mechanisms.
Anyway, all that to say law is vast, fascinating, and utterly tedious. And apologies for the tangent.
utopiah 2 hours ago [-]
If it stops even just 1 person once, isn't it already worth it?
seanclayton 2 hours ago [-]
> Who are those for?
The people who want to see the people doing bestiality punished
chaboud 1 hours ago [-]
I don't want to "see" any of it...
nostrademons 2 hours ago [-]
The jury, maybe.
PKop 2 hours ago [-]
Either the fear of the consequences of breaking the law, or that the most effective way to reduce crime is to remove criminals from the population so over time these people being in jail or worse decreases the crime rate. They don't have to care about breaking laws in the abstract for the law, properly enforced, to reduce crime.
pooploop64 1 hours ago [-]
RCE has no meaning either in these situations. The "remote" part is usually an ssh root session if it means anything at all.
drob518 2 hours ago [-]
There is going to be a flurry of this sort of stuff as the AIs get smart enough to find them. It will naturally die down as the legitimate ones are fixed. Yes, there will always be some level of this, but I’d expect it to be low and the exploits found to be increasingly complex. This is a time of transition.
utopiah 2 hours ago [-]
> a flurry of this sort of stuff as the AIs get smart enough to find them.
I really think this characterization is misleading. It's not "getting smart", only more tailored toward a specific usage, better curated dataset, better harness, better prompts, better labeling of results, documentation of failures and success, etc.
The outcome is (hopefully) overall better but this anthropomorphized wording makes it sound like AI itself is somehow changing or evolving. No, both academia doing fundamental research, industry making it available commercially, and finally security researchers making the entire tooling and process packaged as a service are actively shaping it to make it better. There is no "it".
handoflixue 2 hours ago [-]
Do you have a definition of "smart" such that there is something an AI could do to prove itself intelligent?
Or are you just defining "fast" as something only horses can do, and considering that a useful insight about cars?
slopinthebag 1 hours ago [-]
A future AI may be intelligent, but LLMs are clearly not. They have no agency, no ability to reason, and no world model. The most effective way to use them is to treat them as next token prediction machines, because that’s what they are.
drob518 2 hours ago [-]
Yes, of course. I’m definitely anthropomorphizing as a shorthand. I’m the first one to say that these models are just a lot of matrix math.
jMyles 2 hours ago [-]
> It will naturally die down as the legitimate ones are fixed.
Seems like we're already in the middle of this phase, but rather than dying down, the 'reports' have just gotten more noisy and obtuse, making it more difficult to establish the actual degree of threat / attack vector.
justacrow 2 hours ago [-]
And if you are a state agency who'd like to keep the undisclosed zero-days you rely on secret, spamming maintainers with reports makes sense.
As a bonus if you find any actual zero-days in your mass-generated ones you don't report it and get a new one to play with.
alwa 1 hours ago [-]
I mean. Makes sense until adversary states start walking through the same doors you’re using. At which point you might regret that maintainers are too flooded to deal with it.
Assuming, of course, said state agency is operating under sufficiently strategic governance and management…
juleiie 57 minutes ago [-]
Honestly execution complexity is over time becoming a lower and lower barrier too.
ok123456 2 hours ago [-]
Pretty unimpressive as security vulnerabilities. It would be better to just say these are simple bugs for the most part.
unnouinceput 2 hours ago [-]
all vulnerabilities are just bugs.
GTP 2 hours ago [-]
Vulns are a subset of bugs. What the above commenter is saying, is that some bugs don't belong to this category.
stonogo 2 hours ago [-]
But not the other way around, which makes them different.
void-star 9 minutes ago [-]
Actually, Mudge of the l0pht (and later DARPA) once famously made the claim that all bugs are security issues waiting to be exploited in some way (I’m probably paraphrasing). I kind of agree. Although, the bugs on this dump are indeed mostly pretty lame, which is exactly what I’ve seen you get a lot of when you let an llm go bug hunting with no human vetting and confirmation in the loop.
It’s possible/likely that whomever is running this experiment is keeping the non slop bugs to themselves. It’s probably what I’d do.
xlayn 1 hours ago [-]
I want to rush to git clone, but as things are, the odds are extremely high that this kind of things that are too good to be real are honeypots and something there will compromise your machine or make your llm start working for someone else...
midtake 3 minutes ago [-]
You can just download the zip over HTTPS
GTP 1 hours ago [-]
Then, don't rush and take a few minutes to set up a virtual machine.
IncreasePosts 50 minutes ago [-]
What about all the virtual machine zero days?
victorbjorklund 23 minutes ago [-]
Buy a VM in the cloud?
kodareef5 2 hours ago [-]
trying something new? this is interesting. the problem is that submitting reports is too slow. if you find one then your not supposed to share. but then over the next 90 days you learn no one cares and 13 other people submitted it before you, 43 after. maybe better that we just know. so we can run code we can trust sooner. zero is the proper number of dependencies. otherwise assume its broken.
bassiee 2 hours ago [-]
I also have a library of bugs I found using Claude Opus 4.8 through the Customer Verification Program. Undisclosed, Atp I dont even know if they have been found by someone else. But just like this repo
Theres a bunch of very specific scenario DoS bugs, buffer over/ underflows, that will get caught by ASLR and whatnot
When I report serious ones, mostly the devs will respond with something like, yeah, thats how we designed it in a dangerous way, so that the layer above or below can solve the issues, and other footgun stuff.
merelydev 3 hours ago [-]
Most of the exploits are for opensource/free software.
I don't know what methods where used to find these exploits but I am starting to think security through obscurity might not be a bad thing in this day and age, where someone can just let bots loose on your codebase.
serf 3 hours ago [-]
llms are fantastic disassembly partners, they're quite good at labeling functions from various dissassemblers -- the net losses from losing the benefits of open source , imo , outweigh the protection afforded by hiding your source code in yet another layer that is more and more easily unrolled through automated procedures.
blensor 3 hours ago [-]
And isn't it also mostly a transitioning issue. Those open codebases will be constantly scanned for potential security issues and getting more and more hardened.
There are probably a lot of easy wins that are going to be discovered over the next few years but it should taper out after a while.
merelydev 3 hours ago [-]
Fair point but it assumes we all have access to LLMs with the same capabilities.
yjftsjthsd-h 3 hours ago [-]
I don't think that's exactly it. OSS only needs someone to have a strong LLM to check for bugs. If your software is proprietary, it's a competition between just you and whatever model you have vs any attacker and whatever model they can lay hand to.
GTP 2 hours ago [-]
I don't see the difference.
> OSS only needs someone to have a strong LLM to check for bugs.
The same applies to propietary, closed-source code. It being closed-source means that the source isn't generally available, but the executable is. Hence, someone with a strong model can still reverse it and find vulns.
3 hours ago [-]
spongebobstoes 3 hours ago [-]
disassembly only applies to client side software
something like nginx could arguably be more secure if it was closed source
(I am a proponent of and contributor to open source)
gpm 3 hours ago [-]
Only until a single server running nginx is hacked and the binary leaked though...
Hizonner 3 hours ago [-]
Um, the nginx binary would have to be in the hands of hundreds of thousands of server operators. And the set of server operators is rich in the kind of person who would attack it. Not to mention the huge number of leaks you'd get.
Maybe if it's some server-side software that you only use yourself...
maxloh 3 hours ago [-]
Open source is a good thing, but I don't think what you are proposing is accurate.
A different way to frame this would be that those bugs would never be surfaced or exploited if the software were proprietary.
derektank 2 hours ago [-]
Presumably, one could let the bots loose on your own codebase first. The question is one of financing of course. If your end users are enterprises willing to pay for a support contract, they probably care enough about not getting hacked to endure the higher prices that would let you throw enough tokens at the problem. Other open-source projects might have a harder time.
grayhatter 2 hours ago [-]
> I don't know what methods where used to find these exploits but I am starting to think security through obscurity might not be a bad thing in this day and age, where someone can just let bots loose on your codebase.
I'd love to hear why you think obscurity is bad, if you now think maybe it's good in the LLM age?
I'd also be interested if you could describe exactly what or how you think security through obscurity works, or doesn't?
I've been thinking a lot about how to better teach this concept, so I'm looking to understand exactly how everyone thinks/understands how it currently works, or should work, or what it should do. I don't care about the "correct" answer, (I have ddg too :P) I'm interested in general expectations from SWE's that I might teach at work, instead of opinions of security eng speaking about theory.
GTP 1 hours ago [-]
Security through obscurity can make something a bit more secure in practice by annoying an attacker IF AND ONLY IF you're not relying on the hidden information remaining secret in order to the system remaining secure. E.g., if you're using a broken cipher and assume this is ok because no one knows which cipher you're using, you're gonna have a bad time.
In the case of FOSS software, it is generally recognized that the small advantage of keeping the source secret is far outweighted by the contributions and vuln reports you get if you publish the source.
merelydev 2 hours ago [-]
"one ought to design systems under the assumption that the enemy will immediately gain full familiarity with them" - Claude Shannon
> starting to think security through obscurity might not be a bad thing
merelydev 56 minutes ago [-]
Because of asymmetric differences, I don't have access to powerful LLMs but attackers might. And also the complexities of software dependencies (supply chain vulnerabilities), my software depends on packages not in my control and I don't have time to audit the entire stack.
throwaway613746 3 hours ago [-]
[dead]
jdw64 3 hours ago [-]
I'm going through each one, and it's fascinating to see things like this. The UAF principle in c-ares is really interesting.
The problem ultimately came from not being able to prevent stale pointers. The attack works by figuring out the size of the stale pointer, then spraying memory with data of the same size, and finally achieving RCE (Remote Code Execution). How do people even come up with ideas like this?
jdw64 3 hours ago [-]
But do people actually find these vulnerabilities on their own, or are they using LLMs? I was curious about how these vulnerabilities work, so I tried asking my dear friend Mr. CLAUDE, but he immediately threw an error and ended the session because it was a cybersecurity question. Enterprise APIs block even the analysis itself, so it's amazing that people can actually pull this off in practice.
nicce 1 hours ago [-]
People have always used tools. Some people have better tools than others. I guess the line is thin whether they found on their own or not.
raesene9 1 hours ago [-]
If you want to chat with Claude about this, I'd recommend using Opus 4.6. IME it's happy to talk about (and even write) PoC exploits
lacoolj 2 hours ago [-]
I imagine this is a large open model like GLM5.2 etc
jeffbee 2 hours ago [-]
le sigh, c-ares. Very predictable outcome. If you ever find yourself entertaining the idea that you will simply write non-blocking network protocol stacks in C with manual lifetime management, slap yourself. It doesn't matter if you think you are a super genius of unimpeachable taste. The job is impossible.
jdw64 2 hours ago [-]
Thank goodness I use a GC language
mrbluecoat 3 hours ago [-]
A surprising amount of documentation if the actor was just LLM-dropping these..
Retr0id 2 hours ago [-]
Why is that surprising? LLMs can churn out arbitrary volumes of "documentation" in an instant.
dawnerd 2 hours ago [-]
That seems trivial for an llm to provide.
hypercain 1 hours ago [-]
Mythos has been achieved internally
icase 26 minutes ago [-]
oh-days for days
2 hours ago [-]
functionmouse 3 hours ago [-]
we have got to stop putting our bank accounts and SSNs on computers
ryandrake 2 hours ago [-]
We need our infrastructure to stop treating bank account numbers and social security numbers as secrets. At least in the US, bank account numbers appear on physical checks and are required to be shared in order to do an ACH transfer, and a social security number is not supposed to be used as an identifier (unless to the Social Security Administration itself) or as a secret password.
Ideally, nothing nefarious should happen if both of them were listed and queryable publicly.
silversmith 2 hours ago [-]
Hang on, can you actually do something nefarious with just the bank account number?
ryandrake 2 hours ago [-]
If someone has your bank account and bank’s routing number (which is also not secret), they can make fraudulent ACH transfers and payments from your account. Of course it will most likely be caught as fraud some time after the fact, but just those two bits of not-secret info are enough to grief someone.
I think people may miss the point of a repo like this. Individually these are small puzzle pieces that can't do anything. Put them all in one place and it becomes easier to pick up pieces and try them together to see if they fit and build something bigger. Get enough pieces to fit together and you actually have something. This is the 'FOUO' idea in security. Enough open information gathered together in one place crosses the boundary from 'just public info' to 'secret stuff here!'. Now we have automatic puzzle solvers (coding assistants) a repo like this becomes a lot more meaningful.
esikich 2 hours ago [-]
Yep and typically none of this is meaningful unless you have no security practices at all. You can't have it both ways. Every security team says these things are all critical even though, for example, it's only being used internally. Cool, so you somehow have our network cert, are on site physically, have compromised a laptop fully without all of our tools detecting weird shit, have a password, admin access to the repo, somehow are spoofing MFA, etc etc. Yeah it all adds up, but as an admin I'm just fucking done dropping everything for these kinds of things.
johnwheeler 2 hours ago [-]
That's one way to do it.
grayhatter 2 hours ago [-]
> At the time I post these, none have been reported. Feel free to report them yourself and take credit for the CVE if handed out lulz. I do this so to allure people into the field, and I've always found this is the most efficient way.
I've been a skiddy, he would have believed this. Thankfully, I've grown a bit, and can see this for the transparent, "I'm angry and want to hurt others so I will feel a little less alone", it actually is.
I'm sorry you're so angry dude (me too), but as someone who's joined the blue side, we'd appreciate it if you gave us some kind of heads up, the bad guys generally have a lot more time to scroll for new payloads than I do. Not all of us deserve the kindness of a heads up, but every single one of our users deserve it. Don't punish them because you're mad at someone else.
You can flex on the idiots you're trying to flex on, without hurting people. Even an email to security@[that_project_domain] saying "hey, I've published these" would move you from the group of people I see making the world worse, into the group making it better. (You don't have to, obviously, but making the whole world worse wont make you less angry.)
sellmesoap 41 minutes ago [-]
User/admin discretion for software they use should be a big factor, sometimes getting burned is how you learn to play with fire. Or decide that having your data/participation disrespected means you need to set harder boundaries. My solution is to try things in isolation, run very few services, try to avoid becoming dependent on the online, appreciate the offline and local first.
voodooEntity 2 hours ago [-]
While i can follow your path, maybe because i see the same, i sadly have seen in groups of friends how this can go sideways very fast. If you report things, some companies gone treat you as a criminal/offensive actor and even go legal actions against you even you just tellem here you got this vuln.
Sure you than can do it anonymous and so on but point is : its not like every actor that gets notified will react thankful to it. Some even just ignore it.
esikich 1 hours ago [-]
How bad are your security practices that these tiny obscure things matter? None of these findings that show up here on HN should even make you flinch. The alarmist takes on this stuff is fucking exhausting and I'm tired of security teams bugging me about it. Do your job and this shit doesn't matter AT ALL.
grayhatter 57 minutes ago [-]
I said "doesn't matter" to someone once... the resulting lesson came in the form of a reply from the whitehat researcher (waves, hi brian!) a 16step exploit chain resulting in a one click full account takeover.
I'm equally annoyed and over the alarmist takes. But I don't think it's fair to group mine into it. I'm annoyed at seeing discard respect for others into the same void everyone is happy to toss quality.
Do these tiny things matter? No, not to the default-panic-level everyone adopts when they see 0day, or CVE... but duh, I'm now just repeating exactly what you already said. That no, for the record is mostly because I don't use any of these, not just because they're boring exploits. While I always look, I default assume anything CVE is boring/pointless. But I still read them.
But then, I'm not trying to convince the owner of the repo. I'm trying to discourage the theme among researchers that "no one cares", because I have seen researchers disclose bugs publicly, that we'd be eager to pay out on, because they disagreed with the decision on their last report.
I've fixed bugs being actively exploited against our users, that was found/fixed only after a whitehat report for something adjacent (we pay on those btw, and you should too). I don't wanna live in the world where it's easier for the bad guys, the only way we get there is once "everyone knows", you gotta report the all bugs that you can turn into an exploit. I don't want "the whitehat researcher culture" to move towards, who cares' dump the PoC on github, screw anyone that could be hurt by the bad guys, they deserve to be punished for the incompetence of others. SWE's are shit at security, security researchers are shit at SWE, the only way we get the good outcome, is if they're willing (and encouraged) to work together.
esikich 21 minutes ago [-]
No one is doing 16 step exploits unless you're a huge target in some way. 0.0000001% of companies fit that bill. And even then, ok, what did they get? An account login? What are they doing to do? Read email? Then what? "Use it for social engineering"? Who cares, you have MFA right? You have a firewall? You don't allow people to randomly jump from box to box via RDP? You have basic security and auditing on your fileshares? EVEN THEN, what, they get a spreadsheet from your last town hall meeting? I'm also tired of pretending that 99.999% of the data in a company even matters. Unless they have some way to cryptolock your whole company, AND you don't have backups/snapshots without any basic access security, there isn't a lot of value to be taken. Security "teams" are a bunch of fucking busybodies with nothing to do. Pay for a competent admin team and the security dept is completely redundant and useless.
DANmode 39 minutes ago [-]
That’s a whole lot of “we” to not mention which company you’re at that supposedly plays well with security researchers/has a proper bug bounty.
cubefox 12 minutes ago [-]
Even if the company doesn't have a big bounty publishing exploit code without warning them is unethical. Moreover, a lot of these projects are FOSS without a company which could pay bug bounties.
tliltocatl 3 hours ago [-]
A friendly reminder that a 0-day is a vulnerability that wasn't known until after a malicious actor exploited it. If someone publishes a PoC, it is not a 0-day, just a vulnerability.
Retr0id 2 hours ago [-]
No, the days start counting from the availability of a patch.
rmast 2 hours ago [-]
I was thinking that the other definition was right and this correction was wrong.
Then I did some searching and found multiple examples of both definitions in use, making things murky.
So I turned to Merriam-Webster’s dictionary: “ of, relating to, or being a vulnerability (as in a computer or computer system) that is discovered and exploited (as by cybercriminals) before it is known to or addressed by the maker or vendor”
And of course they use an “or” to make it ambiguous as to whether the days start counting when the vulnerability becomes known, or when the vendor has addressed it.
0123456789ABCDE 1 hours ago [-]
what if a path is never released?
richbell 2 hours ago [-]
I've only heard it used as Retr0id's definition.
cubefox 19 minutes ago [-]
> A friendly reminder that a 0-day is a vulnerability that wasn't known until after a malicious actor exploited it.
No, the full name was always "zero-day exploit". The number 0 refers to the days between the vulnerability being known by the vendor and the public availability of the exploit. So the vendor has zero days to create a security patch before the release of the exploit.
The term "zero-day vulnerability" is a derived term to refer to a vulnerability affected by a zero-day exploit. Similarly, a "zero-day attack" is a derived term to refer to an attack carried out using a zero-day exploit.
ohadkr 3 hours ago [-]
Open source is the best
jiug 2 hours ago [-]
"Cibercrime is cringe"
yuvrajsa 1 hours ago [-]
[flagged]
haberdasher 2 hours ago [-]
"cybercrime is cringe"
segmondy 2 hours ago [-]
What if this person is from an AI lab that really wants the govt to keep suppressing Mythos/Fable & GPT5.6? It's what I would do, the timing couldn't be any better.
0123456789ABCDE 2 hours ago [-]
wouldn't it be trivial to match the repo to the user logs?
Rendered at 18:46:00 GMT+0000 (Coordinated Universal Time) with Vercel.
The first requires being able to overwrite binaries in the Swift tool directory. Yes, if you overwrite binaries executed by ghidra, you can trigger code execution. This is not a surprise.
The second, idk, I'm not familiar with TraceRMI (but it's probably worth noting that "RMI" stands for Remote Method Invocation).
The third is not a vulnerability in the slightest, they just demonstrate that native 7zip parsing code is reachable. Maybe there is a bug in the 7zip parser, but without that it's meaningless.
The biggest mitigation is that gitea documentation discourages you from using action runners from untrusted users. Not flawless security, but it's something...
This recommendation seems incompatible with third-party collaboration, at least on its face!
> but it's probably worth noting that "RMI" stands for Remote Method Invocation
This reminds me of someone submitting a (clearly vibecoded) vulnerability report claiming to have found a way to execute arbitrary SQL. The project in question? An SQL server... https://github.com/tursodatabase/turso/pull/4322
Does it? Or does it need to be in the same directory you invoked ghidra?
After a bit of research, the Firefox one seems plausible to me. But, I haven't actually tried the POC. The explanation about the private-data and untrusted-input flags is plausible but I'm not an expert on Firefox's internals, maybe that's not actually how it works.
This just sucks, all around. Are we going to need every open source project gawking at the same repo full of stuff that has nothing to do with them, on the off chance that someone discloses a vuln that does have to do with them? Is this some kind of performative complaint about high friction in responsible disclosure? Well great job dickhead, you've just made a system that's even worse. Nobody benefits from this. Yuck yuck yuck.
Disclosures always enable more secure software to theoretically exist,
even if nobody follows through creating it.
They often do.
Maybe I'm projecting my own biases ;-)
The nghttp2 nghttpx one is more interesting, and could potentially be used for phishing, but it's very hard to line up properly because the request queue is non-deterministic so basically impossible to target a specific victim (assuming proxy traffic).
The VLC one is just a straight-up crash/bug. And VLC crashes all the time when using weird codecs, so that's nothing new.
Am I missing something here?
So maybe tweaking your usage (ex. no spaces around them) or using a technically incorrect en-dash might offer the desired effect while subtly signaling that your message isn't AI-generated.
I still use them — mostly for pauses — but I'd like to think my voice sounds distinct enough from an AI that people can tell.
(disclaimer: I feel like this obsession with dashes is special to native English speakers, which I'm obviously not)
However I've only ever used regular dashes. How do you type an em-dash? Is it OS specific? I've taken to using Emacs insert-char with a list of frequently used ones in my scratch buffer. My memory for Unicode is unreliable.
On iOS you type it by pressing dash and holding until alternative options come up, same way you type e.g. accented characters.
And if it ever catches on with LLMs ⸻⸻ we just make it longer
> A single archive of public exploit PoCs and vulnerability research writeups. At the time I post these, none have been reported. Feel free to report them yourself and take credit for the CVE if handed out lulz. Please do not abuse these. I do this so to allure people into the field, and I've always found this is the most efficient way.
Which is roughly the definition of zero day. Whether the contents of the repo reflect the above claim is something else entirely.
Reminds me of Jamie Wolf's joke about bestiality laws. Who are those for? What stops most people from bestiality is… not wanting to have sex with animals! For people who do want to, what, they won't because of… the law??
Who will this comment stop??
Regarding the comment, it isn't going to stop anyone. Most people will not do cybercrime because they're honest. Of the remaining, the risk of being sentenced to jail time will instead stop some people, even if not all of them.
The point of beastiality laws are to give society some recourse to punish people who abuse animals.
There was a very famous case back in Washington state back in the early 2000s where a group of men were sexually abusing horses. It was uncovered because one of them died, and the other could only be charged with trespassing because it wasn't illegal at the time to sexually abuse animals.
Others consider law a way of encoding the group’s existing rules and norms.
In that view, making something illegal or mandatory is not a prerequisite for punishment: it’s the actual main point.
The threat of punishment is meant for those not deterred from an act by the simple fact it is illegal (and the threat only works if enforced).
Others put it the other way around, and see law as social engineering, a way to shape the group, either through the encoding itself of the desired behaviours in law, or through deterrence. Or both. If what one is after is either power or legitimacy, they need compliance more than punishment (can’t rule once you’ve chopped everyone’s heads off, or once the mob has put yours on a spike).
It’s also sometimes used as coordination (which side of the road we drive on).
And there’s also law as dispute resolution (if your neighbour’s hen lays an egg in your garden, who does it belong to? Yes, it’s ridiculous. Yes, some places have one or more laws for that). Which, incidentally, both requires and provides legitimacy. Funny, that.
And probably many other kinds / points of view, with many different purposes, intents, and mechanisms.
Anyway, all that to say law is vast, fascinating, and utterly tedious. And apologies for the tangent.
The people who want to see the people doing bestiality punished
I really think this characterization is misleading. It's not "getting smart", only more tailored toward a specific usage, better curated dataset, better harness, better prompts, better labeling of results, documentation of failures and success, etc.
The outcome is (hopefully) overall better but this anthropomorphized wording makes it sound like AI itself is somehow changing or evolving. No, both academia doing fundamental research, industry making it available commercially, and finally security researchers making the entire tooling and process packaged as a service are actively shaping it to make it better. There is no "it".
Or are you just defining "fast" as something only horses can do, and considering that a useful insight about cars?
Seems like we're already in the middle of this phase, but rather than dying down, the 'reports' have just gotten more noisy and obtuse, making it more difficult to establish the actual degree of threat / attack vector.
As a bonus if you find any actual zero-days in your mass-generated ones you don't report it and get a new one to play with.
Assuming, of course, said state agency is operating under sufficiently strategic governance and management…
It’s possible/likely that whomever is running this experiment is keeping the non slop bugs to themselves. It’s probably what I’d do.
Theres a bunch of very specific scenario DoS bugs, buffer over/ underflows, that will get caught by ASLR and whatnot
When I report serious ones, mostly the devs will respond with something like, yeah, thats how we designed it in a dangerous way, so that the layer above or below can solve the issues, and other footgun stuff.
I don't know what methods where used to find these exploits but I am starting to think security through obscurity might not be a bad thing in this day and age, where someone can just let bots loose on your codebase.
> OSS only needs someone to have a strong LLM to check for bugs.
The same applies to propietary, closed-source code. It being closed-source means that the source isn't generally available, but the executable is. Hence, someone with a strong model can still reverse it and find vulns.
something like nginx could arguably be more secure if it was closed source
(I am a proponent of and contributor to open source)
Maybe if it's some server-side software that you only use yourself...
A different way to frame this would be that those bugs would never be surfaced or exploited if the software were proprietary.
I'd love to hear why you think obscurity is bad, if you now think maybe it's good in the LLM age?
I'd also be interested if you could describe exactly what or how you think security through obscurity works, or doesn't?
I've been thinking a lot about how to better teach this concept, so I'm looking to understand exactly how everyone thinks/understands how it currently works, or should work, or what it should do. I don't care about the "correct" answer, (I have ddg too :P) I'm interested in general expectations from SWE's that I might teach at work, instead of opinions of security eng speaking about theory.
In the case of FOSS software, it is generally recognized that the small advantage of keeping the source secret is far outweighted by the contributions and vuln reports you get if you publish the source.
https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle
> starting to think security through obscurity might not be a bad thing
The problem ultimately came from not being able to prevent stale pointers. The attack works by figuring out the size of the stale pointer, then spraying memory with data of the same size, and finally achieving RCE (Remote Code Execution). How do people even come up with ideas like this?
Ideally, nothing nefarious should happen if both of them were listed and queryable publicly.
Many French people with crypto money experienced that the hard way recently.
In short, it's a very active and growing activity. Many data leaks helped people to identify wealthy targets. Some just brag about having crypto.
https://www.lemonde.fr/societe/article/2026/04/24/enlevement...
https://www.franceinfo.fr/faits-divers/cryptomonnaies-la-vag...
https://www.lemonde.fr/societe/article/2025/08/19/l-ascensio... (paywall)
https://www.slate.fr/societe/enlevements-lies-cryptomonnaies...
Some random recent ones we know about:
https://france3-regions.franceinfo.fr/grand-est/haut-rhin/mu...
https://www.leparisien.fr/faits-divers/renseignes-par-des-ha...
I've been a skiddy, he would have believed this. Thankfully, I've grown a bit, and can see this for the transparent, "I'm angry and want to hurt others so I will feel a little less alone", it actually is.
I'm sorry you're so angry dude (me too), but as someone who's joined the blue side, we'd appreciate it if you gave us some kind of heads up, the bad guys generally have a lot more time to scroll for new payloads than I do. Not all of us deserve the kindness of a heads up, but every single one of our users deserve it. Don't punish them because you're mad at someone else.
You can flex on the idiots you're trying to flex on, without hurting people. Even an email to security@[that_project_domain] saying "hey, I've published these" would move you from the group of people I see making the world worse, into the group making it better. (You don't have to, obviously, but making the whole world worse wont make you less angry.)
Sure you than can do it anonymous and so on but point is : its not like every actor that gets notified will react thankful to it. Some even just ignore it.
I'm equally annoyed and over the alarmist takes. But I don't think it's fair to group mine into it. I'm annoyed at seeing discard respect for others into the same void everyone is happy to toss quality.
Do these tiny things matter? No, not to the default-panic-level everyone adopts when they see 0day, or CVE... but duh, I'm now just repeating exactly what you already said. That no, for the record is mostly because I don't use any of these, not just because they're boring exploits. While I always look, I default assume anything CVE is boring/pointless. But I still read them.
But then, I'm not trying to convince the owner of the repo. I'm trying to discourage the theme among researchers that "no one cares", because I have seen researchers disclose bugs publicly, that we'd be eager to pay out on, because they disagreed with the decision on their last report.
I've fixed bugs being actively exploited against our users, that was found/fixed only after a whitehat report for something adjacent (we pay on those btw, and you should too). I don't wanna live in the world where it's easier for the bad guys, the only way we get there is once "everyone knows", you gotta report the all bugs that you can turn into an exploit. I don't want "the whitehat researcher culture" to move towards, who cares' dump the PoC on github, screw anyone that could be hurt by the bad guys, they deserve to be punished for the incompetence of others. SWE's are shit at security, security researchers are shit at SWE, the only way we get the good outcome, is if they're willing (and encouraged) to work together.
Then I did some searching and found multiple examples of both definitions in use, making things murky.
So I turned to Merriam-Webster’s dictionary: “ of, relating to, or being a vulnerability (as in a computer or computer system) that is discovered and exploited (as by cybercriminals) before it is known to or addressed by the maker or vendor”
And of course they use an “or” to make it ambiguous as to whether the days start counting when the vulnerability becomes known, or when the vendor has addressed it.
No, the full name was always "zero-day exploit". The number 0 refers to the days between the vulnerability being known by the vendor and the public availability of the exploit. So the vendor has zero days to create a security patch before the release of the exploit.
The term "zero-day vulnerability" is a derived term to refer to a vulnerability affected by a zero-day exploit. Similarly, a "zero-day attack" is a derived term to refer to an attack carried out using a zero-day exploit.