CVE-2025-5399: WebSocket endless loop

Bug reported by z2 was disclosed at June 4, 2025, 5:57 am   |   Loop with Unreachable Exit Condition ('Infinite Loop')

The function `curl_ws_send()` in libcurl contains an infinite loop that can be triggered by a malicious server under specific circumstances. The loop is caused by a condition in the code that is not properly handled, leading to the function failing to terminate. This vulnerability was discovered in the libcurl library on commit [12d13b84fa40aa657b83d5458944dbd9b978fb7e].

Server-Side Request Forgery (SSRF) via Game Export API

Bug reported by was disclosed at June 3, 2025, 12:56 pm   |   Server-Side Request Forgery (SSRF)

The Lichess game export API was found to be vulnerable to Server-Side Request Forgery (SSRF) due to insufficient input validation of the "players" parameter. This allowed an attacker to make the Lichess server send arbitrary HTTP requests to external URLs, potentially exposing sensitive information.

IDOR: Account Deletion via Session Misbinding – Attacker Can Delete Victim Account

Bug reported by Zephyrus was disclosed at June 3, 2025, 8:38 am   |   Insecure Direct Object Reference (IDOR)

A critical vulnerability was identified in the Firefox Accounts API that allowed an authenticated attacker to permanently delete any user's account by sending a `POST /v1/account/destroy` request using the attacker's session, but including the victim's email and password hash in the JSON payload. The server failed to verify that the session making the request belonged to the account being deleted.