Privilege Persistence via Cloned Agent

Bug reported by _dha was disclosed at April 30, 2025, 7:07 am   |   Improper Access Control - Generic

The vulnerability allowed a member to clone an agent managed by the admin by modifying the agent's unique identifier (sid). This resulted in the admin being unable to effectively disable the agent, as the cloned version could still be used by the member even after the original agent was disabled.

Improper Session Invalidation – Auto Sign-In Without Credentials After Logout (Affects Chrome & Firefox)

Bug reported by ossama was disclosed at April 29, 2025, 2:09 pm   |   Insufficient Session Expiration

The session was not invalidated properly when the user logged out. Revisiting the login page allowed automatic re-authentication without user input, as the session remained active or was improperly restored across multiple browsers.

Broken Access Control Exposes Email Verification Status and Privacy Settings via API Endpoint

Bug reported by was disclosed at April 29, 2025, 12:45 pm   |   Improper Access Control - Generic

The /api/v1/users/{username} endpoint leaked sensitive email-related metadata, such as the user's email confirmation status and privacy settings, without proper authorization checks. This allowed attackers to determine whether an account's email address was confirmed and the user's email privacy preferences, even if the email itself was hidden.

User Limit Bypass via Pending Invitations in Workspace System

Bug reported by Karim Belfodil was disclosed at April 29, 2025, 10:21 am   |   Business Logic Errors

The platform's workspace user limit was found to be vulnerable to bypass through the use of pending invitations. Users were able to join a workspace by signing up with an invited email, even after the workspace had reached its user limit for the current subscription tier. This allowed an unlimited number of users to be added to a restricted workspace, potentially impacting the platform's revenue model.

Race Condition in Folder Creation Allows Bypassing Folder Limit

Bug reported by Ahmed Esmail was disclosed at April 29, 2025, 10:17 am   |   Business Logic Errors

The application enforced a hard limit of 10 folders per user under a specific space. However, due to a race condition, it was possible to bypass this limit by sending multiple folder creation requests simultaneously after deleting one folder. This allowed creating more than 10 folders, breaking the intended restriction.

Possible Sensitive Session Information Leak in Active Storage

Bug reported by tyage was disclosed at April 27, 2025, 10:55 pm   |   Information Disclosure

There was a possible sensitive session information leak in Active Storage. Active Storage incorrectly sent the user's session cookie along with a Cache-Control: public header when serving files (blobs). This allowed certain caching proxies to cache the response, including the Set-Cookie header, potentially exposing the original user's session cookie to unrelated users.

CVE-2024-43398: DoS vulnerability in REXML

Bug reported by L33thaxor was disclosed at April 27, 2025, 4:57 pm   |   Uncontrolled Resource Consumption

The CVE-2024-43398 vulnerability was a denial-of-service issue in the REXML library due to poor performance when parsing specially crafted XML. This vulnerability was addressed with a patch released by the Ruby team.

Denial of Service by memory exhaustion in net/imap

Bug reported by Masamune was disclosed at April 27, 2025, 3:10 pm   |   Allocation of Resources Without Limits or Throttling

A vulnerability was discovered in the net-imap library that allowed denial of service by memory exhaustion. The vulnerability was caused by the library automatically reading and allocating memory for the size of "literal" strings sent by the server, without any limit on the size. This could be exploited by a malicious server to cause the program to crash or system instability.

CVE-2025-24813: Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet

Bug reported by sw0rd1ight was disclosed at April 27, 2025, 2:53 pm   |   Deserialization of Untrusted Data

The Apache Tomcat vulnerability CVE-2025-24813 allowed remote code execution and information disclosure. The vulnerability was caused by a combination of features, including writes enabled for the default servlet, support for partial PUT requests, and the use of Tomcat's file-based session persistence with the default storage location. If these conditions were met, a malicious user could have taken advantage of the vulnerability.

[CVE-2025-27219] Denial of Service in CGI::Cookie.parse

Bug reported by Lio was disclosed at April 27, 2025, 2:27 pm   |   Uncontrolled Resource Consumption

A denial-of-service vulnerability was discovered in the `CGI::Cookie.parse` method of the Ruby cgi gem. The vulnerability was caused by the method taking super-linear time to parse a maliciously crafted cookie string. This could have led to service disruptions. The vulnerability was assigned the CVE identifier CVE-2025-27219.

CVE-2025-0725: Heap overflow in curl with Content-Encoding gzip and old libz versions

Bug reported by z2 was disclosed at April 27, 2025, 1:53 pm   |   Heap Overflow

A vulnerability was reported in the curl project, where a heap overflow could be triggered by a malicious HTTP server serving abnormally large gzip headers. The vulnerability was caused by an integer overflow in curl's support for old libz versions when the `Content-Encoding: gzip` header was used. The vulnerability was assigned the CVE identifier CVE-2025-0725 and was classified as low severity.

Possible DoS by memory exhaustion in net/imap

Bug reported by Manu was disclosed at April 27, 2025, 1:45 pm   |   Uncontrolled Resource Consumption

The net-imap gem implemented an IMAP client in Ruby. Versions prior to 0.3.8, 0.4.19, and 0.5.6 contained a vulnerability that could lead to denial of service by memory exhaustion. The vulnerability was caused by the response parser using `Range#to_a` to convert `uid-set` data without limiting the expanded size of the ranges. This vulnerability has been assigned the CVE identifier CVE-2025-25186.