Vulnerabilities

Learn more about vulnerabilities and exploits from our dedicated security team and others.

Responsible disclosure: the impact of vulnerability disclosure on open source security

It’s a common mistake to think that once a vulnerability is found, the responsible thing would be to make it widely known as soon as possible. The truth is quite the opposite.  Responsible vulnerability disclosure is a disclosure model commonly used in the cybersecurity world where 0-day vulnerabilities are first disclosed privately, thus allowing code […]

April 7, 2020

Vulnerable Gradle plugin-publish plugin reveals sensitive information

Just a few days ago, on March 27, a security vulnerability was disclosed and published — CVE-2020-7599 — on Gradle’s plugin-publish plugin. It is a vulnerability that affects all versions of the package below 0.11.0. The vulnerability was found on March 4 by Danny Thomas, Developer Productivity at Netflix, and reported to Gradle straight away. […]

March 31, 2020

Exploring the minimist prototype pollution security vulnerability

On March 11th, 2020, Snyk published a medium severity prototype pollution security vulnerability (CVE-2020-7598) affecting the minimist npm package. This is part of an ongoing research by the Snyk security research team which had previously uncovered similar vulnerabilities in other high-profile JavaScript libraries such as lodash and jQuery. The current research by the Snyk team […]

March 26, 2020

Django security tips

Lucky you, you user of the web framework for perfectionists with deadlines (AKA Django). The Django team has put a lot of thought into their security practice (find security features in their documentation and their security policy is interesting too). We have summarized some of the best tips to keep your Django project secure.  Download […]

March 24, 2020

What is a backdoor? Let’s build one with Node.js

A backdoor in our code that can perform OS injection is one of the most scary scenarios ever. Currently, npm has more than 1.2M of public packages available. For the last 3 years, our dependencies have become the perfect target for cybercriminals. We saw many new attacks going live, like typosquatting attack or event-stream incident, […]

March 19, 2020

How to Detect and Remediate Kubernetes Vulnerability CVE-2019-11249

Over the past few years, Kubernetes has exploded into the tech world, becoming the most popular cloud container orchestration system. Kubernetes remains a powerful, useful open source system for developers, but like any tool needs to be used carefully and you should take steps to secure your clusters. Today we want to talk about two […]

March 11, 2020

Popular Python library, urllib3, subject to a denial of service vulnerability

Urllib3, a powerful and popular Python http client, is subject to a newly discovered denial of service vulnerability. Urllib3 is used throughout the Python ecosystem–with more than 1,200 packages listing it as a dependency including popular packages like requests, selenium, kubernetes, and more. If you have a Python project, there is a high likelihood that […]

March 8, 2020

Snyk partners with the makers of Greenkeeper to help developers proactively maintain dependency health 

We’re pleased to announce the graduation of Automatic Dependency Upgrades, a Snyk Open Source capability that helps developers proactively reduce security vulnerabilities and maintain dependency health when using open source software. Automatic Dependency Upgrades is the result of an exciting new partnership between Snyk and Neighbourhoodie Software, who are the makers of Greenkeeper and developer […]

March 5, 2020

Ghostcat breach affects all Tomcat versions

Apache Tomcat is an open source implementation of the Java Servlet, JavaServer Pages, Java Expression Language, and Java WebSocket technologies. Tomcat is one of the most popular Java HTTP web server environments and was released in 1998. Ghostcat is a high severity vulnerability in Tomcat discovered by the security researchers of Chaitin Tech on January […]

February 25, 2020

Security breach leaks the personal data of all 6.5 million Israeli voters

On February 7th, 2020 I received an anonymous tip through the “leak inbox” of the Israeli CyberCyber ​​podcast.

February 12, 2020

Node.js release fixes a critical HTTP security vulnerability

A new Node.js security release was published earlier today, 6th of February, 2020  which fixes one Critical severity and two High severity issues. This release also includes stricter HTTP parsing. According to the official release notes included in the following Node.js commit: Also, HTTP parsing is more strict to be more secure. Since this may […]

February 6, 2020