Overview CVE-2025-65947 identifies a critical resource leak vulnerability within the thread-amount tool, a utility designed to determine the number of threads in the current process. Versions prior to 0.2.2 exhibit resource leaks on both Windows and Apple platforms when querying thread counts. This flaw can lead to system instability and process termination if left unaddressed. Technical Details The vulnerability manifests differently on Windows and Apple platforms: Windows On Windows, the thread_amount function invokes CreateToolhelp32Snapshot to obtain a snapshot of the system’s processes and threads. However, the returned HANDLE is not properly closed using CloseHandle. Consequently, repeated calls to thread_amount result…

Overview CVE-2025-65946 identifies a high-severity vulnerability in Roo Code, an AI-powered autonomous coding agent designed to assist developers within their code editors. Prior to version 3.26.7, a flaw in the validation process allowed Roo Code to execute commands that did not adhere to the defined allow list prefixes. This could potentially allow a malicious actor to inject and execute arbitrary code within the user’s environment. Technical Details The vulnerability stems from insufficient input validation of commands executed by Roo Code. Specifically, the application failed to properly enforce the allow list prefixes designed to restrict the types of commands that Roo…

Overview CVE-2025-12888 describes a vulnerability affecting constant-time cryptographic implementations of X25519, particularly when used on Xtensa-based ESP32 chips. This vulnerability stems from timing side-channels introduced by compiler optimizations and inherent CPU architecture limitations. Successfully exploiting this vulnerability could allow an attacker to recover secret keys by carefully analyzing the execution time of X25519 operations. Technical Details The core of the issue lies in the difficulty of achieving true constant-time execution on certain hardware platforms. Compiler optimizations, while intended to improve performance, can inadvertently introduce timing variations that are correlated with the secret key being processed. Similarly, architectural features of the…

Overview CVE-2025-11936 describes a denial-of-service (DoS) vulnerability in wolfSSL version 5.8.2. This vulnerability stems from improper input validation during the parsing of TLS 1.3 KeyShareEntry values within the ClientHello message. A remote, unauthenticated attacker can exploit this flaw by sending a specially crafted ClientHello message containing duplicate KeyShareEntry values for the same supported group. This can lead to excessive CPU and memory consumption on the server, resulting in a denial of service. Technical Details The vulnerability resides in the TLS 1.3 handshake process, specifically within the handling of the KeyShare extension in the ClientHello message. The KeyShare extension allows the…

Overview CVE-2025-11934 describes an improper input validation vulnerability found in wolfSSL versions 5.8.2 and earlier. This flaw resides in the TLS 1.3 CertificateVerify signature algorithm negotiation process. The vulnerability allows a malicious server to potentially downgrade the signature algorithm used for TLS connections, potentially weakening the security of the connection. This can occur if the server improperly negotiates a weaker signature algorithm than initially proposed by the client, even if the client supports the downgraded algorithm. Technical Details The vulnerability stems from inadequate validation during the signature algorithm negotiation phase of the TLS 1.3 handshake. Specifically, when a client advertises…

Overview CVE-2025-11933 describes a vulnerability in wolfSSL version 5.8.2 and earlier, affecting multiple platforms. This vulnerability arises from improper input validation during the parsing of the TLS 1.3 CKS (Certificate Key Share) extension. A remote, unauthenticated attacker can exploit this flaw to potentially cause a denial-of-service (DoS) condition by sending a specially crafted ClientHello message containing duplicate CKS extensions. Technical Details The vulnerability resides in the way wolfSSL handles the CKS extension during the TLS 1.3 handshake. Specifically, the code fails to adequately check for and handle duplicate instances of the CKS extension within the ClientHello message. When an attacker…

Overview CVE-2025-11932 identifies a potential vulnerability within the WolfSSL library related to the verification of the TLS 1.3 Pre-Shared Key (PSK) binder. The issue stems from the server’s prior use of a non-constant time method for PSK binder verification. This could potentially expose information about the PSK binder to attackers, potentially compromising the security of TLS 1.3 connections. Technical Details The vulnerability arises because the time taken to verify the PSK binder depends on the content of the binder itself when using a non-constant time algorithm. This timing difference, even if minuscule, can be measured by an attacker through carefully…

Overview CVE-2025-11931 is a security vulnerability affecting the XChaCha20-Poly1305 decryption function within wolfSSL. Specifically, an integer underflow can occur during the decryption process when the wc_XChaCha20Poly1305_Decrypt() function is called directly by an application. Importantly, this vulnerability is not exploitable through TLS connections, as the affected function is not used in that context. The vulnerability was published on 2025-11-21. This article provides a technical breakdown of the issue, its potential impact, and recommended mitigation strategies. Technical Details The core of CVE-2025-11931 lies in a potential integer underflow within the wc_XChaCha20Poly1305_Decrypt() function. An integer underflow occurs when an arithmetic operation results in…

Overview CVE-2025-65111 describes a vulnerability in SpiceDB, an open-source database system used for managing application permissions. This flaw, present in versions prior to 1.47.1, can cause incomplete or missing results when using the LookupResources API under specific schema configurations. This impacts the accuracy of resource discovery based on permissions but does not affect other permission check APIs. Technical Details The vulnerability arises when a SpiceDB schema includes a permission defined using a union operator (+). This union must reference the same relation on both sides, but one side of the union needs to arrow to a different permission. This specific…

Overview CVE-2025-65109 describes a Server-Side Request Forgery (SSRF) vulnerability identified in the Minder open source software supply chain security platform. This vulnerability affects Minder Helm versions prior to 0.20250203.3849+ref.fdc94f0 and Minder Go versions from 0.0.72 up to and including 0.0.83. It allows Minder users to potentially fetch content in the context of the Minder server, including URLs that the user would not normally have access to. A patch has been released to address this vulnerability. Technical Details The vulnerability stems from insufficient validation or sanitization of user-supplied input that is used to construct URLs for fetching resources. An attacker could…