resolved
CVE-2025-5399: WebSocket endless loop
Bug reported by z2 was disclosed at June 4, 2025, 5:57 am | Loop with Unreachable Exit Condition ('Infinite Loop')
The function `curl_ws_send()` in libcurl contains an infinite loop that can be triggered by a malicious server under specific circumstances. The loop is caused by a condition in the code that is not properly handled, leading to the function failing to terminate. This vulnerability was discovered in the libcurl library on commit [12d13b84fa40aa657b83d5458944dbd9b978fb7e].
resolved
Server-Side Request Forgery (SSRF) via Game Export API
Bug reported by was disclosed at June 3, 2025, 12:56 pm | Server-Side Request Forgery (SSRF)
The Lichess game export API was found to be vulnerable to Server-Side Request Forgery (SSRF) due to insufficient input validation of the "players" parameter. This allowed an attacker to make the Lichess server send arbitrary HTTP requests to external URLs, potentially exposing sensitive information.
resolved
IDOR: Account Deletion via Session Misbinding – Attacker Can Delete Victim Account
Bug reported by Zephyrus was disclosed at June 3, 2025, 8:38 am | Insecure Direct Object Reference (IDOR)
A critical vulnerability was identified in the Firefox Accounts API that allowed an authenticated attacker to permanently delete any user's account by sending a `POST /v1/account/destroy` request using the attacker's session, but including the victim's email and password hash in the JSON payload. The server failed to verify that the session making the request belonged to the account being deleted.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
