Vulnerabilities

Learn more about vulnerabilities and exploits from our dedicated security team and others.

Breaking out of message brokers

I recently reported two vulnerabilities in Apache Airflow—an open-source library that allows developers to programmatically author, schedule, and monitor workflows. Both of the vulnerabilities allow the attacker to change scope and gain privileges for a different machine, and they both rely on the attacker gaining access to the message broker before performing the attack. In […]

August 5, 2020

Prioritization on steroids with Snyk’s new Priority Score

Snyk’s new Priority Score helps to drastically simplify one of the biggest challenges in using open source securely—working out which vulnerabilities to tackle first.  For most organizations, fixing all vulnerabilities is simply not feasible. Each change comes at a cost, and that cost often rises with the age and complexity of the software. The average […]

August 4, 2020

Optimizing prioritization with deep application-level context

Prioritizing vulnerability fixes is becoming increasingly difficult due to both the constant rise in the number of vulnerabilities and the complexity involved in assessing the risk they pose. Vulnerabilities are not born equal, and their risk variance is influenced by an array of objective and subjective factors. Effective prioritization depends on an accurate assessment of […]

July 28, 2020

Announcing Snyk’s developer-first prioritization capabilities

We’re excited to unveil Snyk’s developer-first prioritization capabilities, helping development and security teams prioritize fixes for security vulnerabilities in their open source dependencies and containers more effectively!  Organizations today are overwhelmed by growing amounts of vulnerabilities. Since they cannot fix each and every issue instantly, they must prioritize. Effective prioritization helps organizations to stay focused […]

July 22, 2020

Helping developers prioritize the security backlog

Today, developers are increasingly stepping up to fix the vulnerabilities in their apps, which is amazing. However, when they do so, they’re faced with a long backlog of vulnerabilities. Deciding which issue to address first is hard, requiring time and security expertise developers often don’t have. This is a chance for the right tools to […]

July 22, 2020

Arbitrary File Write via Archive Extraction (Zip Slip) in go-rpmutils

Welcome to the Snyk Monthly Vulnerability Profile. In this series, Snyk looks back on the vulnerabilities discovered by or reported to our Security Research Team. We choose one noteworthy vulnerability from the past month and tell the story behind the discovery, research, and disclosure of the vulnerability. We highlight the researchers, developers, and users who […]

July 20, 2020

Demystifying HTTP request smuggling

HTTP request smuggling is an interesting vulnerability type that has gained popularity over the last year. This vulnerability could allow an attacker to leverage specific features of the HTTP/1.1 protocol in order to bypass security protections, conduct phishing attacks, as well as obtain sensitive information from requests other than their own.  It should also be […]

June 30, 2020

Regular Expression Denial-of-Service in websocket-extensions

Welcome to the newest Snyk blog series! In this monthly series, Snyk looks back on the vulnerabilities discovered by or reported to our research team. We choose one noteworthy vulnerability from the past month and tell the story behind the discovery, research, and disclosure of the vulnerability. We highlight the researchers, developers, and users who are helping identify and remediate vulnerabilities across the open source community.

June 22, 2020

Why do organizations trust Snyk to win the open source security battle?

Defining and explaining the role of a proprietary security team dedicated to researching and analyzing vulnerabilities in open source ecosystems—in order to ensure open source security—is not an easy task. It’s challenging to provide a concise answer when asked the relatively simple question, “what does the security team at Snyk do?”. There is no short […]

May 27, 2020

Mitigating clickJacking—the DevSecOps way!

In the past few weeks, we got a few reports (through our bug bounty program) that some of our inner domains are vulnerable to a clickjacking attack. Of course, our main site was protected from the first day, but there were a few small subdomains that didn’t have this protection. Fixing the issue was easy […]

May 25, 2020

Snyk vulnerability disclosure program: what’s going on behind the scenes?

At Snyk we firmly believe in keeping the open source community secure. This is why we launched our responsible vulnerability disclosure program, supporting all vulnerabilities found within managed open source packages and in languages including Javascript, Java, Python, .NET, Go, Ruby, and PHP. Why disclose vulnerabilities with Snyk? With our vulnerability disclosure practice at Snyk, […]

April 14, 2020